Bug in Domino’s Pizza App Allowed Hackers to Get Free Pizza for Life
April 6, 2016
Shah Sheikh (1294 articles)

Bug in Domino’s Pizza App Allowed Hackers to Get Free Pizza for Life

Being a responsible, friendly hacker means you don’t get to take advantage of the bugs and holes you find, even if those could’ve let you get free pizza.

Paul Price, a security consultant from the UK, found a bug in the British version of the Domino’s Pizza app that let him do exactly that. Price found that the app’s API wasn’t processing payments correctly, allowing users with enough technical know-how to meddle with it and trick the app into accepting invalid payments, essentially allowing them to order pizza for free.

“Errr, what? It looks like my order was placed without a valid payment,” Price wrote in a blog post recounting the time he ordered pizza without paying for it. “Surely this is an oversight/edge case and Dominos’s will have back office checks in place before physically starting to prepare my order…right?”

Wrong. Price wasn’t sure it actually worked, so he called the store to double check, and surely enough, they told him his pizza was being prepared, according to his blog post.

“My first thought: awesome. My second thought: shit.”

“My first thought: awesome. My second thought: shit,” he wrote.

So the pizza actually showed up at his door, according to Price, but at that point, he admitted the payment didn’t go through and paid in cash. Domino’s has since fixed the bug.

“We take security extremely seriously and discovered this issue last year during one of our frequent reviews. We are pleased to say it was resolved very quickly,” Rod Brooks, Domino’s head of IT, told Motherboard in a statement.

But the moral of the story is that there are plenty of apps out there with faulty APIs.

Buggy APIs were partly responsible for the massive hack of the toy company VTech, which left the personal data of millions of parents and their children exposed. And just a few weeks ago, security researchers Troy Hunt and Scott Helme showed that hackers could mess with Nissan electric cars from all over the world, turning on the AC and draining the car’s battery. The company had to disable the app to fix the bug.

Source | Motherboard