Flink supermarket app: The service is active in some large cities
Photo: Christoph Dernbach / dpa
A security research collective discovered a vulnerability in the app of the online supermarket Flink.
This gap gave unauthorized persons the chance to access names, addresses, telephone numbers, e-mail addresses and the last four digits of the credit cards used by customers.
The collective »Zerforschung« made this known with a blog entry.
According to Flink, the gap has now been closed.
According to a report by the RBB, the data was so inadequately protected that experienced programmers were able to gain access to the data within half an hour.
The weak point was in the application's programming interface (API).
According to their own statements, the team from “Zerforschung” could have called up “the details of all> 4000 orders in the last few months”.
"Not just ours, but those of all customers."
Both the affected customers and the state data protection officer have been informed of the incident, says von Flink.
The data were also "only available for a very short time".
In the meantime, »a well-known IT security company has been commissioned to carry out an external check«.
Active in several major cities
According to Flink, there has so far been no indication that unauthorized persons have accessed the data.
The team from "Zerforschung" comments: "How exactly you want to exclude that is a mystery to us."
Flink was only founded in September 2020.
The start-up buys goods on behalf of customers and delivers them with bicycle couriers.
So far, the company has been active in Berlin, Hamburg, Munich and Nuremberg.
Delivery services gained popularity in Germany and other countries during the pandemic, including in the food sector: In August, for example, Delivery Hero, which delivers orders to restaurants and cafes, rose to the Dax.
Flink is also benefiting from the boom: In the latest round of financing, the company raised around 43 million euros in order to be able to expand.
Icon: The mirror
jlk / dpa