Just Eat & Deliveroo Pick Up the Tab for Bad Password Hygiene
Published: 19/06/2019

Just Eat & Deliveroo Pick Up the Tab for Bad Password Hygiene

  • Netacea, Agentless Bot Management

4 minutes read

Recent attacks on UK takeaway firms like Just Eat and Deliveroo are highlighting the evolving security threat of business logic exploits.

Did you see this headline hit the news a few weeks ago? No? That’s because, despite this statement being an accurate description of events, it wasn’t the angle the media chose when UK takeaway providers, Just Eat and Deliveroo became the targets of a mass credential stuffing attack.

A rising number of big brands are affected by compromised credentials, and tackling the threat requires a fundamental shift in how businesses think about security.

In the instance of Just Eat and Deliveroo, customer accounts were taken over to access credits and fraudulently place food orders, and yet, both food chains stated there was no suggestion of a security breach involving their own data.

How were Just Eat and Deliveroo customer accounts taken over?

Attackers are looking for that sweet, weak spot in a business’s infrastructure, and so must organizations take a fresh approach to application security.

Typically, attackers have tried to exploit weaknesses in an application to execute illegitimate code. For example, SQL injection attacks exploit weaknesses in the application that allow illegitimate commands to be passed to the database and executed in a manner that was not anticipated by the developers. The hacker can then gain access to or control of underlying systems or data.

The application layer is obviously an important area of defense and businesses must continue to be ever vigilant against new attacks. Yet, application security, for many organizations, is nothing new. In fact, the need for application security is well-known and well resourced. Industry awareness, improved systems and tooling and standards such as PCI/DSS have ensured that most companies have defenses in place that will stop most standard attack vectors.

This doesn’t mean that attackers just go away, instead, they look for the next weak point; the business logic of your system.

Deliveroo just eat
Deliveroo and Just Eat

Why does flawed business logic leave businesses vulnerable to attack?

Attacks exploiting weaknesses in the business logic and functionality of an application are becoming increasingly commonplace and are generally underpinned by automation or bot activity.

Business logic exploits

The Just Eat and Deliveroo attacks are good examples of business logic exploitation. The activity used to take over the accounts was ordinary, correct and therefore expected consumer behavior. However, these users were not accessing the accounts for the purposes that the businesses and developers who implemented the systems intended.

Functionality exploits

The functionality being executed is valid. Users must be able to track their orders in a relatively frictionless environment, they must also be able to process refunds and there are multiple, valid business reasons for why that refund is applied as credit rather than repaid direct to a credit or debit card.

The attackers simply exploited this functionality in a combination that was never intended, leaving users feeling cheated while Just Eat and Deliveroo lose money hand over fist.

How do you stop business logic exploits?

The latest bot defense products have evolved beyond IP reputation feeds or JavaScript checks to tackle the growing trend for sophisticated bot attacks that target flawed business logic.

Smarter bot management requires technology that can learn standard patterns of user behavior to quickly and accurately detect when non-standard behavior occurs, and accurately identify and stop malicious users.

Any organization with a customer-facing system (such as a website, mobile app or API) is vulnerable to business logic exploitation and requires a security solution that identifies and stops these attacks.

Talk to the Netacea team today to find out how our best-of-breed bot management technology protects websites, mobile apps and APIs from malicious attacks such as scraping, credential stuffing and account takeover. Alternatively, read our 3-Step Guide to Better Bot Management to discover what you can be doing to protect your business now.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.