From studying how Dotpe's ordering API calls work, I figured out that I can remotely place an order at any restaurant table where people were already sitting without needing their table PIN. For obvious reasons, I will spare the details - but it was very straight-forward.
I was interested to see if this would work in real life and what would happen when this ghost order made by me showed up on the victim's table. To test this, I went to one of Social's pubs near me. I sat at table T-26. I checked on my laptop what other tables were ordering to get a quick vibe check of the place. I could've just looked around, but it felt cooler to do it on the laptop.
The music was too loud as usual. I scanned the place to find a suitable target to execute my diabolical plan. I spotted a table in my line of sight where two not-too-intimidating-looking guys were sitting and drinking beer. Their table ID was easy to find. It was written in a big font on their table.
I opened up their table's QR code webpage on my laptop. I scanned the API calls to get all the details I needed. I did my thing and I was in. I added a Crispy Corn Soup to the cart. It was the first thing on the menu. I swiped the Place Order button and the order was placed.
I shut down my laptop and waited. My heart was racing. I could feel a pit in my stomach thinking about the awkward situation that was about to happen. The soup arrived. I almost didn't want to watch this unfold. When the waiter put the soup on the table, both the guys at the table looked confused. One of them said they didn't order it. The waiter took out his tablet and showed them the order was placed by their table. The guys at the table repeated that they didn't order it. It was becoming painful to watch. Luckily, and to my relief, after a brief discussion with another staff member, they took the order back and everything was resolved amicably. It was an excruciating experience.
But it worked. This means I could write a script to remotely place orders at every restaurant table in the country that used Dotpe's QR codes. But this would raise alarm bells instantly. I clearly don’t have the stomach for it, but do you know what a really evil person would do? They’d write a script that periodically places small orders at random tables at random restaurants at random times. This would create a touch of disorder to cause a mild inconvenience but not enough to raise suspicions of anything nefarious. They could keep this script running for months, even years, creating awkward scenes and uncomfortable conversations at every restaurant across the country.