Mobile-ordering apps are convenient, but Domino’s recently learned its was so badly designed that it offered unlimited free pizza to savvy hackers. Earlier this week, Paul Price, a computer-security researcher in the U.K., blogged that he’d discovered this glitch three whole years ago while poking around the Android app’s source code just for kicks (as hackers do). Price quickly realized Domino’s engineers were guilty of a “very bad practice” that left payment processing vulnerable to serious exploitation, so naturally he exploited it. He input an obviously fake Visa card number (4111111111111111), rewrote the error message that came up so the transaction would read “Accepted” instead of “Declined,” and successfully ordered a pepperoni-mushroom-pineapple pie, chicken strips, and ice cream without a valid payment method.
Not believing his luck, he got his pizza half an hour later. “My first thought: awesome,” he writes of what went through his head. “My second thought: shit.” (He adds he’s a hacker who’s got principles, so he insisted the baffled pizza guy take cash for the £26 order the store said he’d already paid for.)
Rod Brooks, Domino’s head of IT, tells Fortune the chain already discovered the flaw last year “during one of our frequent reviews,” adding, “We are pleased to say it was resolved very quickly.” The only reason Price ran his post is because Domino’s fixed the bug, but it’s anybody’s guess as to how many other “meddling users” packed on a few free pounds after discovering it.
[Fortune]
