A tech enthusiast reverse-engineered Zomato's "Food Rescue" feature, which alerts users about discounted food from canceled orders, to create an automated notification system. The investigation revealed Zomato's use of server-driven UI and MQTT for real-time events but also highlighted security concerns like exposed credentials in API responses. The project underscores the complexity of implementing such features while preventing abuse. The enthusiast developed a Kotlin app that sends notifications when a discounted order becomes available, giving users a head start over those who rely on the app's organic alerts. However, limitations were found due to Zomato’s pitch-once constraint, which prevents automated interception from working reliably. This project provides insights into Zomato's architecture and potential security issues. To improve user experience, the author suggests further exploration of deep linking completion or a shadow account approach for better integration with the official app. The current notification-first approach is deemed sufficient by most users despite its limitations.
Read the full article at InfoSec Write-ups - Medium
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
