Over a million order details from 200,000 customers who ordered the Gorillas delivery service were publicly available. That is what the collective Zerforschung found out. The records contained the addressee’s name, telephone number, email address and physical address of the orders as well as the products ordered and the expiry date of the credit card, if this was used to pay.
Research had already revealed a data leak at the delivery service Flink in March, here 3700 data records were affected. The collective was able to access an order query via a GraphQL API. This gap should be closed. Research had also proven a data gap for the Hamburg-based provider Bringoo.
In the case of gorillas, research has according to its own information the gaps are documented and reported to the CERT-Bund. He checked them and sent them to gorillas. According to its own statement, the delivery service has now closed the gaps described and has also informed customers and suppliers who are also affected by the problem. “To the best of the company’s knowledge, no data has been stolen or otherwise misused”, is a quote from Gorillas on berlin.de, the home of the delivery company.
Front doors and doorbell signs
GraphQL also played a role in the research of the collective with the Gorillas data leak. “In order to be able to access the inquiries about the orders, you need an access code (JSON Web Token)”, explains Zerforschung. Anyone who logs into the app receives an ID of this type. “In the expectation that we could use it to query our own data at most, we took our access ID from the app data traffic and entered it into our GraphQL client. And we actually got Data. Not just ours, but everyone. ” In the previous course of the research, the collective also saw photos of front doors and doorbell signs.
The data that were exposed could form the basis for a perfidious attack scenario, explains Zerforschung. “We know the data of all customers, including their orders, and can write e-mails on behalf of gorillas.” For example, they could be tricked into paying a bill twice. “Since the domains gorlllas.io and goriilas.io are still free, even domains that look familiar could be used here for payment,” says the collective.
Gorillas has twelve German cities as well as cities in the Netherlands, Great Britain and France as delivery areas. Buying from a range of 1000 products, Gorillas promises to deliver within ten minutes. It is rumored in financial circles that the start-up founded in Berlin in 2020 will be valued at one billion euros.