Nearly everyone likes pizza. This is one of the universally recognized foods that requires very little hardware to use. All one really needs is a plate. This familiar food is multi-cultural, with different regions and countries having their specialty ingredients and forms. The one aspect that would make this delicious food even better would be if it was free. Everyone would like free pizza, and sure enough, hackers found a way to obtain it by taking advantage of a vulnerability that affected a global pizza maker in its UK area of operations.
In this particular situation, which occurred in the UK, a vulnerability was noted when someone would order a pizza from Domino’s Pizza with their Android app. Randomly, a voucher code would appear which could be used for the next pizza order. Anytime there is free food involved, people take notice.
The code for this application was created on the server side with an API call. The web traffic was sniffed to understand what exactly was occurring. Researchers in the UK found the Domino’s app was processing the payments client side with a payment gateway. This generally is a bad idea. This process does however remove the risk of working with the user’s credit card data and the entity does not have to deal with the PCI compliance. Without this being server side processed, the users are able to see the process and modify this to their benefit. The test continued as the researcher put in a false credit card number, which returned a declined notice. The return traffic from the payment gateway was viewed. With the code in hand, two of the values were changed.
These two values were the <reason> from DECLINED to ACCEPTED and <status> to 1, which also means the transaction was accepted. Thus it appeared the order was placed, and paid for without an issue. Domino’s would have received the order and would process it via making the pizza.
This is not only a proof of concept, but also an actual vulnerability. The pizza delivery driver did show and delivered the free pizza. The researchers did pay for the pizza, based on morality and ethics. Domino’s received the order and instead of completing a quick check, just started cooking. The vulnerability was fixed prior to the reporting of the issue.
Hackers it seems will take advantage of any opportunity for financial gain. While they are happy to empty a bank account for millions, they also seem happy to receive free pizza…while they plot their way into mega million accounts.
Learn more about how to secure mobile devices at the National Cybersecurity Institute.
Charles Parker, II, has been coding since the mid-1980’s, and has been working in the finance, auto manufacturer, and health industries seeking secure solutions for issues for over 17 years. Charles has an MBA, MSA, JD, LLM, and is a doctoral candidate for a PhD in Information Assurance and Security.