heise PlusAbo
Anzeige

"Karvi-geddon": Deficient security architecture at delivery service platform

A security analysis published on Github reveals serious deficiencies at Karvi Solutions. Tens of thousands of restaurant customers are affected.

listen Print view
A bag with food for an order is being packed.

(Image: Aleksandra Suzi / Shutterstock.com)

4 min. read
Security
By
Contents

Hundreds of restaurant websites belonging to the company Karvi Solutions continue to exhibit numerous security vulnerabilities. This makes data from tens of thousands of customers publicly accessible – from the beginning of 2024 to the present. Affected data includes full names, addresses, email addresses, mobile numbers, and order details, such as "!!!!!! No jalapenos !!!!!!!!!". Despite multiple notifications, the company appears to be failing to adequately address these vulnerabilities.

SMS messages can still be sent via an unsecured API.

(Image: heise medien)

The analysis of the source code "Karvi-geddon: How a Restaurant Ordering Platform Became a Security Catastrophe" reveals gross deficiencies in the security architecture. On December 15, 2025, an SMS message was reportedly sent to affected individuals, pointing to a Git repository containing an analysis of the vulnerabilities: "There is a data leak at Karvi Solutions. Again. More details on GitHub." It is still possible to send SMS messages to customers via an unsecured API. Active API keys for the cloud platforms Twilio and AWS used by Karvi remain accessible.

Experts describe the security architecture as negligently secured. According to code analysis, the system also potentially stored full credit card numbers, expiration dates, and the three-digit verification codes (CVV), with the latter violating the Payment Card Industry Data Security Standard (PCI DSS).

"What we have found here goes beyond incompetence. The complete refusal to respond to security notifications, combined with the documented history of security flaws, suggests a company that simply does not care about the security or protection of its customers' data."

(Image: Github)

SQL Injection and Open Doors for Attackers

The software contains vulnerabilities that allow SQL injection. User input is thus inserted into database queries unfiltered. This allows attackers to read or manipulate the entire database. Furthermore, a faulty function for managing language files enables complete server takeover: attackers can upload and execute arbitrary PHP code without logging in.

Investigations indicate that one website stores order confirmations as unprotected text files on the server. The filenames are easy to guess. This allows order details such as name, address, phone number, and payment information to be easily retrieved. At one point, the complete source code was also publicly accessible as a zip archive.

Videos by heise

Data Protection Authority Preparing Legal Action

Due to the ongoing security deficiencies, the Hamburg Commissioner for Data Protection and Freedom of Information, Thomas Fuchs, is preparing legal action. A spokesperson explained: "We are in a long-standing process with Karvi Solutions aimed at closing security gaps, which has also led to certain improvements. Nevertheless, we continue to identify vulnerabilities that allow access to personal data of customers. We are therefore now preparing legal action against the company to enforce the necessary measures."

Security Vulnerabilities for Almost a Year

As early as the beginning of 2025, the Chaos Computer Club called attention to serious security vulnerabilities. They affected over 500 restaurants using software from Karvi Solutions. Even at that time, the problems ranged from unprotected backends and SQL injection to freely accessible backups containing source code and customer data. CEO Vitali Pelz stated at the time that all vulnerabilities had been closed.

Karvi Solutions Rejects Allegations

Karvi Solutions rejects the allegations. The company, as it did in the summer, speaks of a targeted defamation campaign. According to its own statement, the data was accessed through vulnerabilities at third-party providers or via restaurant APIs. Karvi Solutions claims its core systems were never compromised.

The company also denies storing credit card data. Payments are made exclusively via pop-ups from payment service providers. The SQL injection vulnerability found is described as an isolated case on an old customer website. The company calls the GitHub analysis "exaggerated" and "manipulated." They claim to have reviewed all websites. According to their own statements, there have been no security vulnerabilities since mid-year. However, this account contradicts both our technical analyses and the statements of the data protection authority.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten