Caviar is Cavalier About Privacy

The "on-demand economy" is everywhere these days. With the tap of a screen you can summon a taxi or have food delivered from your favorite restaurant. Often these services even provide you with real-time updates on the location of the car or courier so you know exactly when they'll be showing up. From a user's perspective this is awesome, but there are pretty big privacy implications at play here for both users of the service as well as those working for them.

To that point, I'd like to discuss some glaring privacy issues I found when using Caviar, a courier service that focuses on delivering food from local restaurants.

TL;DR - if you're a courier for Caviar or a user of Caviar, you should request that they fix these issues as soon as possible.

Courier Tracking

Back on July 11 I ordered a delivery through Caviar. Once the courier was en route to my house the page started updating to show their location. Like most developers, I cracked open the browser developer tools to see how they were doing it. Were they using web sockets? Long polling? It's always interesting to see how different companies set up their solutions for this sort of thing. For anyone curious, they're actually using a less-exciting method of just doing occasional full page refreshes via a meta tag.

On each page load Caviar is dropping the coordinates of the courier into JavaScript variables, along with my coordinates, and then showing those on a map. Simple enough. After the delivery came the map reverted to just showing my location, but I noticed something very alarming: the variables for the courier's location were continuing to get updated long after the delivery was made. In fact, simply flipping a variable named out_for_delivery from false to true as the page was loading would result in the courier's current location being displayed nicely on the map.

For posterity, I've published a gist containing the relevant snippet of code responsible for this. There's not a whole lot going on there, but it's a good example of why you should never completely rely on client-side security rules.

Once I realized this was not resolving itself, I contacted Caviar's support to let them know about the issue. The next day I got a response saying that their engineers would be looking into the problem. Awesome! Problem solved, right?

Fast forward to today, and if I pull up the order status page for that July 11 order it still has moving courier coordinates being dropped onto the page. I also placed another order a couple nights back that now exhibits the same behavior, so it's definitely still an issue.

This is a huge privacy violation for Caviar's couriers. As a user of the service I should not be able to have any knowledge of the courier's location outside of the context of my own delivery. As soon as my delivery is complete, the page should no longer need to be updated with any information about the courier. Instead, if I wanted to I could continue tracking that courier indefinitely. I could mine the data for delivery patterns, pickup and dropoff locations, working hours, and probably even deduce where the courier lives based on where the location settles after hours. This is not information I have any right to, nor is it something I even want to know, so I did nothing of the sort but that doesn't change the fact that it was still there for the taking.

Security by Good Samaritans is not a good long-term strategy.

Insecure Order Status Pages

One other thing I noticed in using Caviar is a privacy issue for both users and couriers. As is the case with basically every system out there, there's a standardized URL for checking on your order status in the form of /orders/{order-id}. This is the same page discussed in the previous section that exposed the courier's location. In addition to that, it also has my full name, address, and even telephone number.

There's one problem here: the page is public. You don't need to be authenticated to view order details and get access to all of this personal information. I have a small sample size here, but the order ID seems to be 8 characters long and a case-sensitive mix of letters, numbers, and underscores. Anyone that comes across the right combination of these characters can easily access all of this data. It's not hard to imagine a brute force attach on this URL to try generating valid order IDs and harvesting private information. Just as before, this is not information I even want to have, so I did not make any attempts to exploit the weakness.

In Closing

None of this is meant to disparage Caviar, or imply that any privacy violations observed here were intentional or malicious. As a user I've had good experiences in using their service. I had hoped that contacting their support would result in these issues being resolved, and now hope that publishing this will accomplish that. If you're a user or a courier for them, I strongly advise that you contact them to get this patched up.

I also want to highlight the importance of privacy in general with services like these, especially given their continued rise to ubiquity. The burden of responsibility falls to us as software engineers to make privacy and security a top priority. When users trust us with sensitive information, it's on us to do the best we can to protect it and use it responsibly. We can do better.


Update 8/31:

Looks like Caviar quietly rolled out a fix to the first part here, as I can no longer see the courier's coordinates on the order. Great!

Unfortunately, the second problem is still present and I can still view the status page without being authenticated.