A new damper for the hype about the fast food delivery services: The Berlin startup Flink is said to have not protected the data of its users well enough.
Up until a few days ago, the Berlin delivery startup Flink had a serious security flaw in its app: the names, addresses, orders and credit card details of more than 3,700 customers could easily be tracked by strangers – without knowing any passwords. This is what the RBB and security researchers from the Zerforschung group report.
The data interface of the app was so poorly protected, they write, that access would only take half an hour with enough practice. A programmer from Zerforschung told the RBB: “I was surprised that the data was lying around so openly. At first I suspected it was just test data. After a test order, however, it became clear to me that this was real customer data. “
“This could take over accounts, for example at Amazon”
Flink said it had fixed the vulnerability on March 6, following a tip from RBB and Zerforschung, and informed its users and the Berlin data protection officer. It is not known how long the problem existed before and whether the data was misused. “The last four digits of the credit card number are often used in the telephone support of websites to determine the identity. This could then be used to take over accounts, for example at Amazon, ”said a programmer from Zerforschung the RBB.
Super-fast delivery services are experiencing a hype in this country due to pandemics and lockdowns. Flink and its main competitor Gorillas promise to bring groceries to the front door by bike courier in just ten minutes. Behind Flink are the scene heads Julian Dames (formerly at Foodora), Christoph Cordes (ex-boss of Home24) and Oliver Merkel (previously retail expert at Bain & Company), they received capital from Target Global, Cherry Ventures and the London-based early phase Northzone investor. The ten-minute delivery services are on an aggressive course of expansion that is not only reaching its limits in terms of labor law, but now apparently also in terms of data protection.