Yes, thanks to a vulnerability in Domino’s Pizza Tracker app, hackers could have stuffed their face with free pizza for life.
But that pizza hole has long been closed, according to the security consultant who found it and suppressed a surge of glee and digestive juices.
No unlimited Americanos with extra pineapple and hot dog-stuffed crust for you!
The security consultant, Paul Price, explains that he was sitting around craving just that pepperoni wonder one Friday night.
So he fired up his Android’s Domino’s app to put in an order. But given that he was curious to know how it generates a £10 voucher, which he’s seen pop up seemingly randomly, he got to poking around in the app’s code.
He found that the code was generated server-side via an API call.
Price fired up Burp Proxy – an intercepting proxy server for security testing of web applications that operates as a man-in-the-middle between your browser and the target application, allowing you to intercept and modify HTTP/S traffic passing in both directions.
Something caught his eye: the Pizza Tracker app was itself processing payments, client-side, via a payment gateway, where its traffic could be meddled with – as opposed to payment processing being safely tucked away on the server side, outside of view.
Price put in a new order with a bogus credit card number. It was declined, of course, as it should be.
But then he intercepted the message and changed some values in the new order: namely, he changed the
<reason> attribute value to ACCEPTED and
<status> to 1, for “accepted.”
That did the trick. He explains what he saw on the app:
A few minutes pass and the Pizza Tracker changes from “Order” to “Prep” and then to “Baking”. I couldn’t bear to wait another 30 minutes to see if an Americano pizza, Chicken Strippers and Chocolate Chip Cookie + Ice Cream side turn up at my door.
I called the store and they confirm they have received my order and it will be delivered within the next 20 minutes. My first thought: awesome. My second thought: shit.
The pizza arrived, along with the other pancreas-abusing goodies. Price couldn’t accept it in good conscience, so he paid the delivery guy £26 ($37).
Price notes that Domino’s has fixed the bugs, which is one reason he decided it was safe to post about it. He says that payments are still being processed client-side, but now with server-side checks.