Tabit Technologies is a leading mobile hospitality solution provider with a robust product ecosystem that has revolutionized the payments industry. Celebrated globally for streamlining processes for both businesses and end-users, their unique software suite has challenged many of the traditional approaches to point-of-sale, reservation management, wayfinding, dining, and delivery. Consumers are empowered to access inventory and occupancy data to make purchases, reservations, and join waitlists. They can enjoy the flexibility of ordering online from practically any device they use. This same level of simplicity is also enjoyed by business owners as they can facilitate much of their services from the palm of their hand.
As you can imagine, this innovative portfolio of services leverages a ton of data hosted in, and accessed from, a myriad of different sources, which means that application programming interfaces, or APIs, are at the core of everything they do. Though APIs have been a godsend for organizations of all sizes, leveraging them comes with caution as they are prone to vulnerabilities. Vulnerabilities that can be very costly depending on the types of data they transmit. Which means companies like Tabit need to be proactive in securing their APIs and ensuring that the right authentication barriers are in place to prevent data breaches.
With that said, Noname Labs, the research arm of Noname Security, identified a number of notable vulnerabilities in the Tabit platform from which sensitive data was being exposed. One of the researchers was dining at a restaurant that happened to be a customer of Tabit and made these discoveries. These vulnerabilities were specifically discovered in the 3.15.4 version of Tabit’s reservation system. Not only was personally identifiable information (PII) like name, mailing address, and phone number exposed, but the reservation system was also exposing sensitive data such as health statements, previous bills in a specific restaurant, alcohol consumption and smoking habits.
After careful review, the Noname Labs team was able to document the list of vulnerabilities, identify how an attacker could take advantage of them, and the types of data that would be compromised. They compiled all of their findings in this comprehensive report. You can also get a detailed look at the documented flaws on the publicly disclosed CVE database.
Noname Labs’ mission is to identify ways to help organizations improve their API security posture. In turn, user data is better protected and organizations become better educated on how to close API security gaps within their ecosystem. With that said, Noname Labs reached out to Tabit to inform them of the vulnerabilities we identified in an attempt to expedite remediation. Tabit was open to the engagement and worked with Noname Labs to understand the breadth and depth of their security gaps. As a result, Tabit addressed API misconfigurations and released a new version which closed the aforementioned flaws. Going forward, Noname hopes to maintain a collaborative relationship with Tabit to ensure that Tabits direct customers, and end users, data remains safe and secure from data leakage.