MediaNama’s Take
The January 2026 disclosure by a security researcher shifts the focus of the “Loved by Friends” feature on Zomato from visibility to geography. Instead of asking who can see recommendation activity, the question now turns to what that activity may reveal about where users place orders. The feature returns specific restaurant outlets linked to a matched account, and each outlet sits at a fixed physical address within a defined delivery area. As a result, every returned recommendation carries a geographic reference.
Zomato has stated that the feature does not expose exact location data. There is no address field, no map pin, and no live tracking mechanism. However, location does not need to appear as a visible field to acquire meaning.
When the system surfaces multiple outlets tied to the same account, observers can view their delivery areas together. If those delivery zones overlap, the likely ordering area narrows. One must note that the system does not disclose exactly where a user lives. Nevertheless, it can reduce the range of plausible locations.
This distinction matters. Direct disclosure involves publishing explicit identifiers. In contrast, inference operates through accumulation and pattern recognition. When several outlet-level signals point toward the same cluster, geography becomes probabilistic rather than hidden.
Moreover, as consumer platforms continue to layer social discovery features onto transactional data, such inference becomes easier to construct. The question, therefore, extends beyond whether precise coordinates appear on screen. It concerns whether product design anticipates how small, structured outputs can combine to reveal more than each element does in isolation.
What’s The News?
A security researcher has alleged that Zomato’s “Loved by Friends” feature could allow approximate inference of a user’s delivery area based on restaurant data linked to their account activity.
In a report submitted in January 2026 through Zomato’s vulnerability disclosure channel on HackerOne, a widely used bug bounty and security reporting platform, the researcher examined how the feature links phone numbers to recommendation-related restaurant listings.
Zomato classified the submission as “Informative” and described the reported behaviour as “Intended Behaviour”.
This development follows MediaNama’s October 2025 reporting on the same feature, which found that recommendation-linked order activity could appear to contacts without requiring mutual consent. While the earlier story examined the visibility design, the January report focuses on how the system matches phone numbers and returns recommendation-linked data.
The researcher submitted the report in January 2026. And after Zomato classified it as “Informative”, he published a technical write-up on Medium outlining his findings.
What Is the ‘Loved by Friends’ Feature?
Zomato introduced…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
