News Insights: People Are Making Bots to Snatch Whole Foods Delivery Order Time Slots

News Insights

According to Jason Kent, Hacker in Residence at Cequence Security,

“As we all sit at home, a little bit taken aback by having to sit at home, we get curious and want to make things better.  Necessity, as they say, is the mother of invention.  What if you really wanted a cheeseburger at 6pm?  Perhaps you have a telehealth call setup for your child’s orthodontist appointment and timing is everything.  The world of food delivery as a service has given us options we’ve never had.  That Chinese place you love that didn’t deliver, now delivers with a service.  Those tasty treats are all but a few clicks and a contactless delivery away.  Working in a new and different way has led many restaurants to change their focus, but now it seems they aren’t running quite as efficiently as they once did.  I know my local Chipotle is usually 35 to 45 minutes behind and the queue for DoorDash/GrubHub drivers is pretty lengthy.  If there was a better way to order so that the food was more predictable, it would be a huge benefit. And thus, we have people polling the order APIs and looking for available timeslots, and making those times available or making those orders have a higher priority.  The immediate impact is the service that is looking for timeslots, has the best timeslots but the knock on impact is that your 6pm cheeseburger isn’t possible because a scalper has purchased the slot like a concert ticket. Automated attacks like this are often about polling APIs over and over and making decisions about scarce resource availability.  In the industry, this is like Seat Spinning or Inventory Take Over attacks that tie up something that is for sale and often don’t actually result in sales, but rather just result in more scarcity.  As we depend on these services more and more, we’re going to see attack sophistication increase, eventually causing major disruptions to our new supply chains.”