Fish & chips?

Such an innocuous phrase which should have led to an evening in front of the TV with the better half.  Instead, a nightmare ensued; endlessly contacting several local eateries to alert them to a very serious problem.

Tiffin Tom is a "Just Eat" style, online food ordering service with hundreds of local businesses.  Just enter your postcode and a world of artery-clogging yet convenient food awaits.

Unfortunately, it's also a sure-fire way to have your identity & payment information stolen - very, very quickly indeed.

After Googling my local Parkhill Fish Bar, https://parkhillfishbar.co.uk/ appears as the first result.  I began adding items to my basket before the site asks me to register.

Note: As Parkhill Fish Bar took immediate action and requested the site be taken down on the day I notified them, the images used throughout this article will show another company, Major Curry Affair, who I also notified.  Their site remains live.

Pandora's Box

Before you order, the site makes a database lookup to get the takeaway's details; opening hours, minimum order values, service area etc.

It returns data like this:

Nothing wrong so far... until you scroll down.

Let me make sense of that for you...

I asked to register.  Instead, Tiffin Tom gave me full, unfettered access to their Google, Firebase, Facebook, Twitter, MailChimp, Text Magic, Click Send, Pusher, Email, PayPal & Stripe payment accounts!

You'd be forgiven for thinking, they're obviously fake, outdated or canaries, right?

A quick call to Stripe's API confirms... I'm their latest customer.

Sure enough, every single credential is live, working and leaking every single piece of customer information.

Full names, addresses, email addresses, phone numbers, order history, payment information including card data... literally everything you hand over is visible to the public.

Ignorance is bliss.

It's been a while since I've seen an application do something so blatantly stupid & dangerous - not since Police CyberAlarm in fact, when they returned user passwords in plain text.

At this point, I obviously didn't place an order and immediately visited Parkhill.  Parkhill's our local and whilst we don't visit often, it's always our go-to place for fish & chips, so I already knew Baljinder, the owner.

Once I'd outlined the issue to Bal, he promptly called Jamal Ahmed, the "Director" of Tiffin Tom Ltd.

Note: I've put Director in quotes, for reasons I'll explain shortly.

Bal explained & relayed the information to Jamal, but we eventually ended up on speakerphone, during which I explained the entire system was exposed, Stripe keys were breached and everything should be taken offline immediately.  His immediate response was "we've not been breached", a line he continues to repeat to every business I've notified.

However, he promised to take Parkhill offline and remove their data.  I also agreed to email & call the following day with more concrete information.

The "fix"

The following day, I started pulling the rest of the service apart.  However, during a mandatory due diligence period, I noticed something odd at Companies House.

What?! No Directors whatsoever?

Jamal resigned in July 2022 - meaning the company has been "trading" illegally ever since.  It's probably why Companies House have tried to strike off the company - that and a lack of accounts/confirmation statement, but someone's lodged an objection, so the company remains active with no leadership.

Curve ball

This is a situation I've never faced before.

Normally, I'd hand over all the supporting evidence to the company and let them resolve it.  Now however, I can't - legally at least - because Jamal is no longer the Director he purports to be.

A quick call to the ICO and they too are equally stumped; asking me to forward a complaint but with no guarantee of any action because of the unique circumstances.

One thing was for sure however... the businesses using Tiffin Tom were still liable for sizeable fines, something I'm trying to avoid.

Anyway, I digress... let's move on to the "fix".

Despite claiming (and continuing to claim) there has been no breach, Jamal did admit he'd "found a few things" which his developers were fixing.

A few days later, the database call which prompted this mess changed significantly.

They've clearly found and discussed the problem (keep in mind, I didn't tell them where it was) - but their "solution" is equally as pathetic as the site itself.

Instead of returning the critically-sensitive details in plain text, they've encrypted it.  However, the astute amongst you will have already surmised... if the site is decrypting the results to populate forms/javascript, the encryption key must be accessible in the DOM.

Sure enough...

Decrypting the data is as simple as Googling "aes decrypt"

Sigh.

OK, they tried... but not particularly hard.  They didn't even change the exposed secret keys!  They've just encrypted the existing, leaked keys - then told customers there's been no breach!

I rarely get angry, but this piss-poor effort continues to place 21,000 customers at immediate, demonstrable risk and instead of holding their hands up, apologizing and making a reasonably-competent effort to fix it... they've lied & covered it up.

Now, Jamal told Parkhill that his site was offline (confirmed) and his data had been removed.  That however, is a lie too.

Instead of doing what was legally required, Tiffin Tom have simply hidden Parkhill from search results.

All the PII & payment data - which places Parkhill and countless other businesses at risk of huge fines - still remains in the database.

Tip of the iceberg

Believe me when I tell you, this is merely the tip of the iceberg.

The site is festooned with the most rudimentary of security flaws; stored XSS, CSRF, iDOR, broken authentication, session hijacking - it's a perfect little CTF competition masquerading as a business.

Did I mention, they offer debit cards & payment machines too?

More denials...

After finishing my research, I notified Bal @ Parkhill of the further findings, prompting him to contact Jamal again.

His response, as of the 28th June 2023.

Summary

I've researched some pretty egregious sites in the past but this one... it takes some beating.

If you value your business, your customer's data or simply want to avoid a colossal fine from the Information Commissioner's Office, avoid Tiffin Tom/Ubsidi/Nibs Solutions at all costs.

Ya know the worst part? After explaining all this, my chips were cold. Oh, the humanity.

FAQs

1)  I run a business and have a Tiffin Tom account. What should I do?
a)  Notify Tiffin Tom Ltd immediately and request the full & immediate deletion of every record associated with your business, but not before requesting a copy of all logs - as you'll likely need them for any ICO investigation.  Technically, there's nobody steering the ship - even legal action won't help, but you may get results.

2) What if Tiffin Tom doesn't respond, or refute this?
a)  Legally, there's nobody to respond.  Jamal had been very receptive, but clearly doesn't understand the risk of running a Ltd company in breach of CA 2006.

3)  I've placed an order with a takeaway, am I affected?
a)  If they use Tiffin Tom, almost certainly.  Look for "copyrights tiffintom" in the footer.  If you're concerned your details may have been exposed, please contact me privately.  In any event, your payment details should be considered compromised and you should cancel your cards.