Aside re: restaurant technology:

In a restaurant a year ago with "pay via your phone" service. Server gave us a receipt w/ a QR code. I scanned the code, copied the URL to my clipboard, and looked it over. There was a base64 blob on the URL. I decoded it (because Termux and I'm a nerd) and saw obvious parameters I could fuzz. I changed the check ID (incremented it), left the store ID alone, re-encoded it, and found I could access somebody else's check. Not a super exciting vulnerability (since all I could do was see what they ordered and pay their check) but I thought it was still pretty rotten that I could even do that.