A 6-year-old boy "played" with his dad's Grubhub app, ordering $1,000 worth of food

Originally published at: A 6-year-old boy "played" with his dad's Grubhub app, ordering $1,000 worth of food | Boing Boing


It could have gone worse…


This was our backyard, local Facebook groups were blaming the restaurants. People that don’t have a clue.

I’m glad they kept the food and didn’t try to get out of paying.

I was left alone with our daughter a lot, we had fun and made messes but never an expensive mess.


The Associated Press on Thursday that Grubhub has reached out to the family and offered them a $1,000 gift card.

I sorta feel like the bare minimum you could do would be to reimburse them for the $1000 spent? I know if my kid spent $1000 on Grubhub and Grubhub made it that easy, we would not be using Grubhub in the house after that…


Grubhub didn’t make it easy, dad did by letting a 6 year old play with his unlocked phone.


Last I used the iOS GrubHub app it wanted to do FaceID or TouchID in order to allow a purchase. I may have been a generic “authorize the user” call, so on a pre-TouchID phone the phone’s PIN if it has one would work, and if you have no PIN on the device you just had to tap “Ok”. I’m pretty sure if the FaceID/TouchID fail you can opt to put in the phones PIN (or passcode).

So unless things have changed in order for it to be “easy” for the kid you either need to give them your PIN, or have no PIN, or the kid needs to look a whole whole lot like you (or match your fingerprints).

I would put that in the realm of GrubHub having attempted to make the purchase process safe enough that if one’s kid can order it is probably not GrubHub’s fault. Although I applaud GrubHub’s choice to turn this from a potential PR disaster to a $1000 marketing expense.


Self inflicted first world problems.

My phone is a $600 portable computer, not a toy.

My kid is about to be a legal adult; but when she was little, I never allowed her on my tech until she was old enough and responsible enough to have her own.


Just imagine the wacky hijinks this kid could have caused if his parent had a dating app installed on their phone.


The company also is considering using the family in an online promotional campaign

“Hey, folks! Why not let your kid order a thousand bucks in food? We appreciate the business!”


DL Hughly and Dulce Sloan talked about this on TDS this week…

It starts at about the 3 minute mark…


Grubhub credited them $1000 on their Grubhub account.


It’s so easy, a 6-year old can feed an army with it!

I realize that I’m a curmugeonly nerd with slightly paranoid tendencies and a decent hardware budget; but I can never shake the feeling of weirdness and situationally inappropriate intimacy when reading stories of people just casually sharing hardware loaded with various authorization tokens and largely without effective user privilege separation(at the UI level, both iOS and Android are quite solidly multiuser in an architectural sense; but in the sense of distinct humans as distinct users it’s pretty obvious that a single user with authorization to do anything except violate system integrity is the first-class use case; some sort of kiosk mode is a reluctant tack-on; and support for multiple users is threadbare and unloved at best).


Lower upfront costs; but unless the gig economy manages to helotize psychology in the near future probably more costly to unwind in the end.


This story was about sharing a phone with a 6 year old, this wasn’t sharing with a stranger.

Of course letting your own 6 year old use your every day phone is silly but I don’t think it’s the same thing you’re talking about.

The wife and I know each other’s passwords and PINs, and we use each other’s phones and computers but we would never casually hand our devices over to anyone other than to make a phone call in an emergency.

Who just hands over their phone or laptop to strangers?

this is why “remember me” for websites is a terrible terrible feature. install a password manager and have one secure password to access it. use browser plugins help log into sites, and log in every time. especially bank accounts ( shiver )

probably the only access someone can get with my unlocked laptop is boing boing. ( and you can tell, because i definitely did not write this post :grimacing: )

1 Like

Now that reminds me of what my younger brother did when 1-800 phone sex lines were a thing…

1 Like

Honestly, it’d take quite a lot of effort to get past the screen lock, particularly if I’ve hibernated the computer. Even if the computer is slept, odds are they’d still need to get into the password manager to get any credentials. No, I don’t mind logging in every time, why do you ask?

Uber Eats handled it better in 2021.