I have been building a QR table ordering platform and security has been on my mind throughout. The AI tools I use while coding are great at writing features but terrible at thinking about what could go wrong. So I do that part myself.
One concern I kept coming back to: what stops someone from grabbing the URL behind a QR code and using it from home? I switched to UUIDs in my own app early on, but at some point I ran out of ideas and decided to test a production system instead. If I could find a real attack surface in a live product, I would know exactly what to harden in mine.
I have a favorite sushi place in Barcelona. One of the very few restaurants in the city that uses QR ordering. The problem was that I did not have a photo of their QR code handy.
Google Maps reviewers did.
A bit of scrolling, a screenshot, perspective correction, sharpness adjustment, and I had a clean scannable code. I scanned it from my apartment… and it worked!
The session loaded with the restaurant’s full menu, the current order for that table, the total price, how many people were seated, and a button to add more food. I had full access to a live table session without being anywhere near the restaurant.
Then I looked at the URL. The table identifier was not a UUID. It was a long sequential decimal number. I adjusted the last few digits and landed on a second active table. From there the pattern was obvious:
f(t) = large_constant - table_index
Every table in the restaurant, accessible from anywhere, in real time!
At scale, this is not just a curiosity. You could extract a business’s full consumer patterns from your pocket: how many people are dining, what they are ordering, when they order, how much they spend. Or you could just send surprise dishes to every table, which would be funny until it wasn’t.
I contacted the provider’s security team through their authorized channels the same day. Needless to say, I didn’t interact with or modify any other customer’s live session.