Dotpe, based in Gurugram, secured $58 million in a Series B funding round in September 2022.Dragos Condrea

DotPe leaves API public, exposes sensitive data of top restaurant

According to tweets shared by social media users, DotPe's entire API was left public, meaning anyone could access sensitive information without any authentication.

by · India Today

In Short

  • Hackers accessed sensitive data without authentication
  • Most ordered items from Social outlets were exposed
  • Financial details of Social outlets were also accessible

Indian startup DotPe, known for providing point of sale (POS) systems for restaurants, has reportedly faced a security lapse.

According to tweets shared by social media users, DotPe's entire API was left public, meaning anyone could access sensitive information without any authentication.

Security lapse allowed hacker to access API

In one tweet, a user revealed that a hacker found the most ordered items from every outlet of Social, a popular restaurant chain in India.

“Zero auth,” the tweet mentioned, implying there was no need for authorisation to get the data.

Another tweet highlighted that this security flaw allowed people to see not just the most ordered items but also financial details from Social outlets across the country.

"@ankitkr0 just shared the most insane post with me where someone saw that DotPe was allegedly not requiring authN across its APIs to look up how much Social makes across the country and the most ordered items. Unsurprisingly Delhi loves Banarasi Patiala with Vodka," said a tweet from an X user.

'Banarasi Patiala with Vodka' most ordered across Social outlets in Delhi.

In Delhi, the most popular item from the Social outlet was the 'Banarasi Patiala with Vodka,' a cocktail blend.

This revelation raises concerns about DotPe's security measures, especially as the startup recently raised around $58 million in Series B funding to expand its services.

Dotpe, based in Gurugram, secured $58 million in a Series B funding round in September 2022. This round was led by Temasek and included contributions from existing investors PayU and InfoEdge Ventures. New investors Mitsubishi and Naya Capital also participated.

While there hasn’t been any official response from DotPe yet, this incident underscores the importance of proper security protocols, particularly in the tech-driven restaurant industry where customer and sales data is highly valuable.