Latest in Security

Image credit:

Food app Ritual is sharing users' precise workplace information

And because it doesn't check whether you actually work at a location, random strangers can access the data.
Swapna Krishna, @skrishna
March 16, 2018
Share
Tweet
Share

Sponsored Links

baramee2554 via Getty Images

Ritual is a "social ordering" app that allows users to place an order for a meal and have it ready for pickup at a local restaurant. That's not new, but what Ritual allows is for other users to add their own food orders, or "piggyback", onto the order already in place. That way one person can head to the restaurant and bring back all the office's orders at once. Sounds fine, right?

Well, there's a huge problem with all this, as Twitter user Caitlin Tran (@caitlinsays_) pointed out. People can join any company on Ritual without any sort of verification and see which floor people work on. And the default settings of the app have users sharing the address of their office and the floor on which they work, as well as sending push alerts about where they're heading to pick up a meal.

We wanted to test it out for ourselves, so Deputy Managing Editor Nathan Ingraham signed up for Ritual and joined the Department of Justice. He then told the app that he worked on the ninth floor of the Chicago office. He was then able to see the first initials and last names of other people who worked in the building and which floor they worked on. This is, of course, limited to people who have downloaded the app, but for secure workplaces, it's absolutely a terrible breach of privacy.

Tran points out that you can sign up for Ritual and see office locations for employees at the Department of Homeland Security, Lockheed Martin, the Pentagon and more. It's important to note that while Ritual doesn't force users into the "Teams" feature, it's a vital part of the app experience. While the idea behind Ritual makes sense, it's shocking that there aren't better privacy controls and data sharing options -- users can't hide their location from other people, and with no verification to confirm you work in a building, there's rampant potential here for abuse.

In this article: privacy, ritual, security
All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Researchers 3D-printed a cell-sized tugboat

Researchers 3D-printed a cell-sized tugboat

View
PlayStation 5 first look: At home with Sony’s new console

PlayStation 5 first look: At home with Sony’s new console

View
MIT tests autonomous 'Roboat' that can carry two passengers

MIT tests autonomous 'Roboat' that can carry two passengers

View
NASA will try to stow away its leaking asteroid sample tomorrow

NASA will try to stow away its leaking asteroid sample tomorrow

View
Microsoft's 'Mandalorian' Xbox controller will set you back $160

Microsoft's 'Mandalorian' Xbox controller will set you back $160

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr