The Zomato API Bug That Turns Phone Numbers Into Location Intel

Zomato’s “Friend Recommendations” API allows unilateral contact syncing. By uploading a phone number, bad actors can extract a user’’ restaurant recommendation history and restaurant coordinates. By mapping overlapping delivery radii, an attacker can estimate a user's approximate physical location without their consent.