- Cara Delevingne calls out Justin Bieber for ‘ranking’ wife Hailey’s friends Friday 9:07 PM
- Fans defend Jenna Marbles after some people claimed she mistreated her dogs in a recent video Friday 8:37 PM
- ‘Friends’ gets reunion special on HBO Max, fans go wild Friday 7:37 PM
- Why you should drop everything and start reading ‘Lore Olympus’ Friday 6:27 PM
- ‘Boogaloo’ memes are trying to organize a second civil war—and they’re spreading fast Friday 3:48 PM
- People are disturbed by these McDonald’s-scented candles Friday 3:47 PM
- Season 2 of ‘The Witcher’ is in production Friday 3:16 PM
- Here are some cringey billboards Bloomberg ran in Arizona Friday 2:51 PM
- PewDiePie returns to YouTube after 37-day hiatus Friday 2:01 PM
- Why was a Republican Party Facebook page co-managed by someone in Turkmenistan? Friday 1:26 PM
- The shorthand guide to ‘Star Wars: The Clone Wars’ Friday 1:07 PM
- Congress urges Tinder to screen for sex offenders Friday 1:03 PM
- Video shows 9-year-old threatening suicide after being bullied Friday 12:01 PM
- Ex-Goldman Sachs CEO says he might vote Trump because Sanders is too mean to him Friday 11:40 AM
- Twitch streamer says she was banned for body painting Friday 11:39 AM
Domino’s Android app allowed for fake payments resulting in unlimited free pizza
Sorry, Domino’s has fixed the bug.
The latest benefit to having even basic coding skills is access to unlimited free Domino’s pizza. At least it was until Paul Price, a security consultant from the UK, notified the chain of the delicious payment flaw he discovered.
In his blog titled Domino’s: Pizza and Payment, Price describes intercepting and changing the values of code given by Domino’s payment gateway Datacash after he had attempted to pay with a made-up credit card number through the Domino’s Android app.
As expected the card is declined and the App shows an error message. Let’s try our luck by intercepting the response and changing some values around. I start a new order and set breakpoints on the HTTP endpoint for the DataCash API. Once the breakpoint triggers on the response, I change the <reason> attribute value to ACCEPTED and <status> to 1 (which means transaction accepted according to the DataCash documentation).
The payment went through and Domino’s Pizza Tracker notified him that his pizza was being prepared. Price still wasn’t convinced that the modification he made wouldn’t be stopped somewhere down the line so he called up his local Domino’s to find out how far his fake payment went. Turns out Price was 20 minutes away from devouring a pizza he didn’t pay a pence to purchase, a bittersweet moment as he described it.
My first thought:awesome. My second thought: shit.
Price took the high road and told the delivery driver of the flaw with payments made using Domino’s mobile application. Domino’s has since resolved the issue.
“We take security extremely seriously and discovered this issue last year during one of our frequent reviews. We are pleased to say it was resolved very quickly,” Rod Brooks, Domino’s head of IT, told Motherboard in a statement.
What is interesting to note is that Price cites the incident as having occurred three years ago, and Domino’s claims to have discovered the issue just last year. That’s a lot of free pizza for those whose taste buds fought off their conscience.