knowing where you’re getting your sauce delivered to.
First off, I want to say that I am very happy to be part of the Drizly beta
launch in Tampa, FL and a little bit proud of Tampa for actually being a part of
something awesome before it’s gone completely mainstream.
For those unfamiliar with Drizly, they are a booze delivery service. It’s
something that my buddy Justin and I have been talked about for years.
I used the service today and was floored at how quick the turn around was and
how miniscule the markup / delivery fee and tip ended up costing.
After ordering I figured I’d share my order on Facebook and Twitter. It was the
least I could do considering I got a pretty sick discount to be part of the
beta. That’s where my perception started to change.
The link that ended up being shared ended up revealing not only my order (full
disclosure, I am not ashamed that I ordered a box of wine) but it also had a map
that showed the location of the driver as well as my home. It didn’t show my
address per se, but it showed the general vicinity of my delivery address.
I promptly took down the Facebook and Twitter posts and busted out my tinfoil
hat.
With the posts potentially revealing my address taken down, I had to find the
link again so I could investigate further. Within your Drizly account you can go
to “Order History” and view your orders. My current order had a “Track Order”
link that took me to a page that I could share from.
Have you ordered from Drizly before? Follow along with me, go to your orders and
track your latest order. On that page in the upper right, you’ll see a section
like this:
That’s the link to share your order. Go ahead and open that link, it should show
your order, a promo code, CTA and a map showing your delivery location and the
location of the store that fulfilled the order.
The map allows you zoom right in on the delivery location. It never shows your
actual address but if you zoom in enough, it’s pretty damn easy to figure out
someone’s address on the map.
So how do you plot a market on a map? That’s right, latitude and longitude! If
you “view source” on the page and search for ”delivery_location” you’ll get just
that:
All you have to do is punch those coordinates into Google Maps GPS
Coordinates and it will spit back the address. I’ve tried this with a
number of different coordinates and have gotten an address every time. The ones
I tried that belonged to my friends, they all verified that the address was
correct.
At this point, my delivery had arrived (was legit 30 minutes or less) and I
Tweeted to Drizly about my experience:
@joshtronic hey there, thank you for
the feedback! You can invite/share the joy of Drizly with friends here #Cheers! https://t.co/dxJINaXSn7
— Drizly
(@Drizly) November 6,
2015
Not only did they like my tweet, but their response seemed to indicate that
they may not have understood that I was pointing out a major privacy hole.
That response prompted me to swap out for my white hat and do some digging.
First, I figured out how to pull up a list of the Drizly share links. It was as
easy as searching for a fragment of their default sharing text:
From there, I went ahead and started to gather up Twitter usernames for Drizly
employees to see how many of them had posted the sharing link. A few of them had
so I compiled a list of addresses, presumably home addresses as they weren’t the
same address as Drizly HQ.
I DMed @Drizly to further explain the situation and provided a bit of relevant
proof of the hole. I received a polite yet dismissive response:
Personally, I would have rushed to take the map down from the order share page.
It’s generally pretty easy to get people’s addresses, but I feel like this is a
scenario where the user is probably not aware that they are exposing their
delivery and/or home address when sharing. I sure as hell wasn’t informed of
this.
I like Drizly and really want to share my orders, even if it is for cheap beer
or box wine, but I won’t be sharing until this is resolved. I recommend that you
do the same.
