A security researcher discovered that Zomato's 'Friend Recommendations' feature uses a unilateral contact-sync model, allowing anyone with a target's phone number to silently extract their restaurant order history and food preferences via the API — without the target's knowledge or consent. By querying restaurant coordinates and mapping delivery radius overlaps, an attacker can infer a user's approximate home location. The researcher built a working proof-of-concept in 3 hours and reported it to Zomato, who closed the ticket in 12 minutes labelling it 'Intended Behaviour.' The post details the full 5-step API exploitation chain (sync-contacts, get-contacts, get_listing_by_usecase, menu endpoint, and res_info), explains how seed lists from prior data breaches could enable mass enumeration, and provides steps to opt out of the feature.
Table of contents
Zomato’s Misleading UI: The Illusion of Consent in ‘Friend Recommendations’Exploiting Zomato API Endpoints: A Technical Proof of ConceptGet Jatin Banga ’s stories in your inboxSort: