Food app Ritual is sharing users' precise workplace information

And because it doesn't check whether you actually work at a location, random strangers can access the data.

Ritual is a "social ordering" app that allows users to place an order for a meal and have it ready for pickup at a local restaurant. That's not new, but what Ritual allows is for other users to add their own food orders, or "piggyback", onto the order already in place. That way one person can head to the restaurant and bring back all the office's orders at once. Sounds fine, right?

Well, there's a huge problem with all this, as Twitter user Caitlin Tran (@caitlinsays_) pointed out. People can join any company on Ritual without any sort of verification and see which floor people work on. And the default settings of the app have users sharing the address of their office and the floor on which they work, as well as sending push alerts about where they're heading to pick up a meal.

We wanted to test it out for ourselves, so Deputy Managing Editor Nathan Ingraham signed up for Ritual and joined the Department of Justice. He then told the app that he worked on the ninth floor of the Chicago office. He was then able to see the first initials and last names of other people who worked in the building and which floor they worked on. This is, of course, limited to people who have downloaded the app, but for secure workplaces, it's absolutely a terrible breach of privacy.

Tran points out that you can sign up for Ritual and see office locations for employees at the Department of Homeland Security, Lockheed Martin, the Pentagon and more. It's important to note that while Ritual doesn't force users into the "Teams" feature, it's a vital part of the app experience. While the idea behind Ritual makes sense, it's shocking that there aren't better privacy controls and data sharing options -- users can't hide their location from other people, and with no verification to confirm you work in a building, there's rampant potential here for abuse.