Caution
FOR RESEARCH & EDUCATIONAL PURPOSES ONLY. This project is a Proof of Concept (PoC) designed to demonstrate a specific data exposure bug. The author assumes no responsibility for how this tool is used. Any actions taken based on this project are the sole responsibility of the user. Misuse of this information can result in legal consequences.
Below is a demonstration of the script running in --redact mode.
This tool demonstrates a privacy issue in Zomato's contact recommendation feature. By syncing a target phone number, the following data can be retrieved without the target's explicit consent (provided they have "Recommend to friends" enabled):
- Private Recommendations: A list of restaurants the target has recommended.
- Order History: Specific dishes the target has ordered from those restaurants, including images.
- Location History: GPS coordinates of the restaurants, which can be used to approximate the target's movements/frequently visited areas.
- Optional Proxy: Route traffic through Burp Suite or other clients for interception (
--proxy). - Triangulation Map: Generates a clickable link to visualize restaurant locations on a map with a customizable radius.
- Safe Sharing Mode: Automatically redacts sensitive PII (hashes, phone numbers, exact coordinates) and masks restaurant/dish names for safe POC demonstrations (
--redact). - Automated Desync: Ensures a clean state by desyncing existing contacts before exploitation.
- Install Dependencies:
pip install -r requirements.txt
- Configure Access Token:
- Intercept a valid
X-Zomato-Access-Tokenfrom the Zomato mobile app. - Paste it into the
.x_zomato_access_tokenfile.
- Intercept a valid
python main.py1. Privacy / Redaction Mode Use this flag to hide sensitive details (User ID, Phone, Coordinates) and randomize restaurant name lengths. The map link will also be redacted.
python main.py --redact2. Custom Triangulation Radius Set the radius for the map visualization circles in meters (default is 8000m / 8km).
python main.py --radius 30003. Proxy Interception Route traffic through a local proxy (e.g., Burp Suite).
python main.py --proxy 127.0.0.1:8080python main.py --proxy 127.0.0.1:8080 --radius 5000 --redactThis software is provided "as is", without warranty of any kind. The author shall not be liable for any claim, damages, or other liability, whether in an action of contract, tort, or otherwise, arising from, out of, or in connection with the software or the use or other dealings in the software.
Proof of Concept Only.