The developer of a website that claimed to automatically hunt for free delivery slots on Instacart and complete a user's order for them shut down the site Thursday after getting a cease-and-desist order from Instacart.
This tool, called Cartdash, and others like it Motherboard previously found for Amazon Fresh and Whole Foods, highlighted a divide between those who happened to know about the tools or the tech-savvy to leverage them, over those who just had to keep trying to use delivery apps as normal to in an attempt to secure food during a pandemic. Instacart, Amazon Fresh, and Whole Foods use a “delivery slot” system to schedule an order, and during the pandemic these slots have been taken quickly, meaning that people who want to get groceries delivered may have to wait days or even weeks to order.
"It's an incomplete system, but I have the essentials to start," Devon Koch, the developer of Cartdash, told Motherboard in an online chat. Koch later told Motherboard he shut down the tool in response to Instacart's cease and desist letter.
Do you have internal documents from bot makers or sellers? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Before it closed, to use Cartdash users first selected what items they want from Instacart as normal. Once that was done, they had to provide Cartdash with their Instacart email address, password, mobile number, tip amount, and whether they prefer the first available delivery slot or are more flexible. The tool then checked that their login credentials were correct, logged in, and refreshed the checkout page over and over again until a new delivery window appeared. It then placed the order, Koch explained.
"I don’t store any user data, so as soon as the order is submitted, all of the users data is wiped from my server," Koch said, although he does take screenshots of the page if there is an error for his own debugging purposes and to inform the user. Once the process is complete, he also deletes those screenshots, he added.
When asked if this tool may give people an unfair advantage over those who don't use the tool, Koch said, "at this point, it's a matter of awareness, not technical ability, since people who can use Instacart can use Cartdash." When pushed on how, realistically, not every user of Instacart is going to know about Cartdash, even after it may receive more attention, and the people using Cartdash will still have an advantage over people who aren't using automated tools, Koch again said, "it's a matter of awareness, not technical ability."
Other developers Motherboard previously spoke to who created tools to automate finding delivery slots for Amazon Fresh and Whole Foods saw the room for abuse, although some of their tools were harder to use on a technical level than Cartdash.
"Yes, it's an unfair advantage over others who aren't tech-savvy but may still need to purchase items urgently. However, I try my best to reduce the abused [sic] problem," Manfong, the developer behind a Chrome extension that notifies users when a delivery slot opens up, told Motherboard in an email.
Koch said he would have liked to devise a system that incentivized both at-risk Instacart users, such as people with pre-existing health conditions or the elderly, as well as the shoppers themselves. One example could have been to ensure that a tip is guaranteed to be 30 to 40 percent at a minimum while using the tool.
"You know what… I just checked my email. Got a cease and desist from Instacart."
When asked for comment on Wednesday, Instacart told Motherboard that independent services like Cartdash are in no way affiliated with the company, and that people claiming to be able to grab delivery slots outside of the main Instacart platform are, at a minimum, violating Instacart's trademarks but also as the company's terms of service. Instacart said people who do this will be contacted by the company's legal team.
On Thursday Motherboard asked Koch whether he had faced any sort of legal issue from Instacart due to CartDash. At the time, Koch said he had not.
But as the conversation continued, Koch said, "You know what… I just checked my email. Got a cease and desist from Instacart."
"Damn, this is all happening in real time," he added.
Koch said he checked Instacart's terms of service before creating CartDash and "there wasn't anything in there that stuck out."
Instacart's terms of service says, "You may only access the Services through the interfaces that Instacart provides."
Subscribe to our cybersecurity podcast, CYBER.