Hackers Target Turkish Kebab Businesses

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

A service provider used by multiple Turkish food delivery services was found to have a gaping vulnerability that leaked customer data each time an order was placed.

“Each time a new order comes, any outsider can find out sensitive customer information, such as names, home addresses, phone numbers, email addresses, order details, IP addresses, and some authentication tokens,” said the Cybernews research team.

Anyone who found the breach could see every aspect of the orders you placed. Making matters worse, the vulnerability has been live for more than a full year now. If even a single threat actor found the leaks before researchers, they could have theoretically obtained more than three million people’s records.

The leak in question didn’t appear to researchers to be caused by a sophisticated attack, but rather by negligence on the side of the service provider, Kafka.

“Such systems should not be left exposed to the public with broken access control or any authentication at all, as in this case. Enabling authentication and configuring IP whitelisting are the first steps to ensure that the system can only be accessed from a trusted network,” they explain.

Researchers discovered the leak in January and emailed the company on eight separate occasions since then, however, at the time of writing this the company has neither responded nor addressed the issue.

While a data leak can happen, it should never happen because a company refuses to take basic security precautions, such as authenticating administrative access to its data records. As it stands, hackers could use the stolen information for phishing scams, doxxing, identity theft, and more.

Multiple companies are affected by the service providers’ leaks, including food delivery apps with 10-plus million downloads.

Gemir and Yemek Sepeti are the largest affected companies, both seeing approximately 4.8 million monthly website visitors. Migros, another service with more than 10 million downloads, sees 184K monthly visitors.

Other businesses that were found to have data being leaked by Kafka include Trendyol, Manuel, Çağrı Merkezi, Sube, and Paket.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment