Brinztech Alert: Alleged Database of Woflow (Food Delivery Automation) is on Sale

Dark Web News Analysis

A threat actor on a known hacker forum is advertising the sale of a database allegedly belonging to Woflow, a merchant automation platform that helps restaurants sync menus across delivery apps (UberEats, DoorDash, GrubHub). The dataset reportedly contains 126,980 unique records specifically targeting California restaurants.

Brinztech Analysis:

• The Attack Vector: The breach is attributed to an exposed Metabase dashboard or unprotected API endpoint. This strongly points to the exploitation of CVE-2023-38646, a critical pre-authentication Remote Code Execution (RCE) vulnerability in Metabase that allows attackers to hijack the setup token and execute commands without logging in.
• The Data: The leak reportedly includes:
  • Merchant Identity: Restaurant Names, Addresses, and Contact Info.
  • Operational Data: Menu syncing logs, POS integration details, and potentially API Tokens used to connect the restaurants to third-party delivery platforms.
• The Intent: Unlike standard data brokers, this threat actor has explicitly stated an intent to “cause chaos and disrupt business operations.” This suggests they may have not only stolen data but also deleted or corrupted menu configurations, which would cause orders to fail across major delivery apps for the affected restaurants.

Key Cybersecurity Insights

This alleged breach presents a systemic risk to the food delivery ecosystem in California:

• Supply Chain Disruption: Woflow acts as the “middleware” between restaurants and delivery apps. If the attackers corrupted the menu data, thousands of restaurants could face “Menu Desync” errors, leading to lost revenue and angry customers receiving the wrong orders.
• API Key Exposure: The most critical risk is the potential exposure of Partner API Keys (e.g., DoorDash Drive API or Uber Eats Merchant API keys). If these keys are included in the “merchant data,” attackers could place fraudulent orders, refund themselves, or scrape customer PII from the delivery platforms.
• Metabase Vulnerability Lag: CVE-2023-38646 was disclosed in mid-2023, yet many organizations remain unpatched. This incident highlights the danger of “Shadow IT” or forgotten analytics dashboards left exposed to the public internet.
• Geographic Concentration: The specific targeting of California suggests the dataset might be a “dump” of a specific regional shard or client list, potentially affecting high-profile franchise chains on the West Coast.

Mitigation Strategies

In response to this claim, Woflow and its restaurant partners must take immediate action:

• Patch Metabase Immediately: If Woflow (or any merchant) is using self-hosted Metabase, upgrade to the latest version immediately to patch CVE-2023-38646. Ensure the /api/setup/validate endpoint is blocked externally.
• Rotate Delivery API Keys: Woflow should forcefully rotate all API tokens used to authenticate with UberEats, DoorDash, and GrubHub. Merchants cannot do this easily themselves; the platform must initiate it.
• Menu Integrity Check: Restaurants using Woflow should manually verify their menus on delivery apps. Look for unauthorized price changes, item deletions, or “out of stock” markers that may have been malicious.
• Isolate Analytics: Ensure that analytics tools (like Metabase) are behind a VPN or Identity Aware Proxy (IAP) and never exposed directly to the public web.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com