Josh Sherman
TL;DR - Don’t use Drizly’s share your order link, unless you want everybody knowing where you’re getting your sauce delivered to.
First off, I want to say that I am very happy to be part of the Drizly beta launch in Tampa, FL and a little bit proud of Tampa for actually being a part of something awesome before it’s gone completely mainstream.
For those unfamiliar with Drizly, they are a booze delivery service. It’s something that my buddy Justin and I have been talked about for years. I used the service today and was floored at how quick the turn around was and how miniscule the markup / delivery fee and tip ended up costing.
After ordering I figured I’d share my order on Facebook and Twitter. It was the least I could do considering I got a pretty sick discount to be part of the beta. That’s where my perception started to change.
The link that ended up being shared ended up revealing not only my order (full disclosure, I am not ashamed that I ordered a box of wine) but it also had a map that showed the location of the driver as well as my home. It didn’t show my address per se, but it showed the general vicinity of my delivery address.
I promptly took down the Facebook and Twitter posts and busted out my tinfoil hat.
With the posts potentially revealing my address taken down, I had to find the link again so I could investigate further. Within your Drizly account you can go to “Order History” and view your orders. My current order had a “Track Order” link that took me to a page that I could share from.
Have you ordered from Drizly before? Follow along with me, go to your orders and track your latest order. On that page in the upper right, you’ll see a section like this:
That’s the link to share your order. Go ahead and open that link, it should show your order, a promo code, CTA and a map showing your delivery location and the location of the store that fulfilled the order.
The map allows you zoom right in on the delivery location. It never shows your actual address but if you zoom in enough, it’s pretty damn easy to figure out someone’s address on the map.
So how do you plot a market on a map? That’s right, latitude and longitude! If you “view source” on the page and search for ”delivery_location” you’ll get just that:
All you have to do is punch those coordinates into Google Maps GPS Coordinates and it will spit back the address. I’ve tried this with a number of different coordinates and have gotten an address every time. The ones I tried that belonged to my friends, they all verified that the address was correct.
At this point, my delivery had arrived (was legit 30 minutes or less) and I Tweeted to Drizly about my experience:
@joshtronic hey there, thank you for
the feedback! You can invite/share the joy of Drizly with friends here #Cheers! https://t.co/dxJINaXSn7
— Drizly
(@Drizly) November 6,
2015Not only did they like my tweet, but their response seemed to indicate that they may not have understood that I was pointing out a major privacy hole.
That response prompted me to swap out for my white hat and do some digging. First, I figured out how to pull up a list of the Drizly share links. It was as easy as searching for a fragment of their default sharing text:
From there, I went ahead and started to gather up Twitter usernames for Drizly employees to see how many of them had posted the sharing link. A few of them had so I compiled a list of addresses, presumably home addresses as they weren’t the same address as Drizly HQ.
I DMed @Drizly to further explain the situation and provided a bit of relevant proof of the hole. I received a polite yet dismissive response:
Personally, I would have rushed to take the map down from the order share page. It’s generally pretty easy to get people’s addresses, but I feel like this is a scenario where the user is probably not aware that they are exposing their delivery and/or home address when sharing. I sure as hell wasn’t informed of this.
I like Drizly and really want to share my orders, even if it is for cheap beer or box wine, but I won’t be sharing until this is resolved. I recommend that you do the same.
