On Sunday evening, Wang Sicong, the son of property developer Wanda Group President Wang Jianlin, posted a message criticizing Meituan’s account security system on Weibo, complaining his account was reconnected to another mobile phone number by someone else. Later, Dianping urgently responded that his account was frozen for protection purposes at the earliest possible time.
Another netizen nicknamed “Xuanningxuan Sir” then conducted a test on Meituan. He posted that anyone could change the mobile phone number connected to Meituan, simply by obtaining the original mobile phone number and birthday of the user. By doing so, one can access food and medicine orders, open new orders, view travel information and more. It’s very easy to learn the mobile phone number and birthday of users. Many people post messages celebrating their birthday in WeChat moments, so friends on WeChat know their date of birth. Furthermore, many apps require birthday information during registration.
After hearing the feedback from netizens, Meituan quickly adjusted its strategy, and applied this method only to users who have modified their mobile phone numbers in the past six months. Most people hardly change mobile phone numbers and thus their contact details connected to Meituan remain the same for a long time. This mobile phone number is usually connected with many apps. China now allows consumers to shift from one operator to another without changing numbers, so most people rarely change them. This change works for most users.
However, for users who have changed numbers in the last six months, the strategy still has loopholes. Meituan provides more services than just food delivery, and its business covers travel and accommodation, allowing it access to this sensitive information. People with ill intentions could get such information themselves.
Chinese media outlet Leikeji commented that some users may change their numbers connected to the app because their previous mobile phone numbers are lost and they cannot receive information such as mobile phone verification codes. In this case, users are recommended to change it through mailbox authentication, or a better choice. Users may change their mobile phone numbers and cancel the numbers, but generally they will not cancel their email accounts. In the case that the user’s old mobile phone number can’t receive the verification code, it is much more reasonable for the user to use the email to verify the modification.