https://jashidsany.com/tags/zomato/ Recent content in Zomato on Jashid Sany https://jashidsany.com/images/og-default.png https://jashidsany.com/images/og-default.png Hugo en-us Sun, 19 Apr 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/zomato-mcp-oauth-scope-not-enforced/ Sun, 19 Apr 2026 00:00:00 +0000 https://jashidsany.com/security-research/ai-security/zomato-mcp-oauth-scope-not-enforced/ The OAuth server fronting Zomato's MCP endpoint rewrites the scope request and issues tokens labeled 'offline openid' that nonetheless call every MCP tool, including checkout_cart. The advertised mcp:tools / mcp:resources / mcp:prompts scopes are never enforced at the application layer.