Cybersecurity Breach Exposes Flaws in New 10-Minute Food Delivery Startup Zing

Software Developer Ujjwal Dimri took to X to reveal a startling vulnerability in Zing, a newly launched 10-minute food delivery app backed by Azhar Iqubal, co-founder of Inshorts. The app, which promises ultra-fast food delivery and operates in select Gurugram sectors, has hit a significant roadblock after Dimri gained unauthorized full access to its backend, exposing sensitive user data and operational details.

Dimri’s investigation began as a casual exploration of the app but quickly escalated when he uncovered a critical security flaw. His findings, shared via a thread on X, included access to every order placed since the app’s inception in November 2024, totaling 25,422 orders. The breach revealed a staggering ₹37,10,889.5 in revenue (after discounts), an average order value (AOV) of ₹145.97, and detailed sales data, with popular items like Aloo Pyaz Parantha (2,827 units sold) and Royal Paneer Thali (2,280 units) topping the list.

More alarmingly, Dimri reported having write access to the database, enabling him to potentially manipulate prices, issue fake orders, or delete user accounts—though he refrained from doing so. This incident underscores a growing concern in the rapid-delivery sector, where speed often outpaces security.

In Sep, 2024, Deedy Das, a VC at Melno Venture pulled off a similar this for Dotpe.

Indian startup Dotpe, that raised ~$100M to build point of sale systems for restaurants left their entire API fully public.

A clever hacker found out the most ordered thing at every Social in India.

And did a prank to order what he wanted for a person next to him!

Zero auth. pic.twitter.com/UcsmLVpwtt

— Deedy (@deedydas) September 23, 2024

Zing, founded by Tarun Arora (former COO of Inshorts) and Rachit Sahi, leverages AI-driven demand forecasting and hyper-local cloud kitchens to meet its ambitious 10-minute delivery promise. However, the lack of robust cybersecurity measures has left it vulnerable.

Experts suggest that adherence to frameworks like the OWASP Top 10—guidelines for mitigating common web application vulnerabilities—could have prevented such an exposure. Dimri attempted to notify Zing’s team before going public but received no response, prompting his decision to share the findings. The revelation has sparked a debate on X, advocating for better developer education in cybersecurity, while others, question the business viability of Zing’s low AOV model, comparing it to the struggles of Milkbasket, which faltered with an AOV of ₹200-250.

Zing’s leadership has yet to issue an official statement, but the incident serves as a wake-up call for the quick-commerce industry. As competition intensifies, with players racing to dominate the 10-minute delivery space, the balance between innovation and security remains precarious.

For now, Zing’s promise of fresh meals delivered at lightning speed is overshadowed by a critical lesson: in the digital age, speed without safety can lead to costly consequences.