The latest benefit to having even basic coding skills is access to unlimited free Domino’s pizza. At least it was until Paul Price, a security consultant from the UK, notified the chain of the delicious payment flaw he discovered.
In his blog titled Domino’s: Pizza and Payment, Price describes intercepting and changing the values of code given by Domino’s payment gateway Datacash after he had attempted to pay with a made-up credit card number through the Domino’s Android app.
As expected the card is declined and the App shows an error message. Let’s try our luck by intercepting the response and changing some values around. I start a new order and set breakpoints on the HTTP endpoint for the DataCash API. Once the breakpoint triggers on the response, I change the <reason> attribute value to ACCEPTED and <status> to 1 (which means transaction accepted according to the DataCash documentation).
The payment went through and Domino’s Pizza Tracker notified him that his pizza was being prepared. Price still wasn’t convinced that the modification he made wouldn’t be stopped somewhere down the line so he called up his local Domino’s to find out how far his fake payment went. Turns out Price was 20 minutes away from devouring a pizza he didn’t pay a pence to purchase, a bittersweet moment as he described it.
My first thought:awesome. My second thought: shit.
Price took the high road and told the delivery driver of the flaw with payments made using Domino’s mobile application. Domino’s has since resolved the issue.
“We take security extremely seriously and discovered this issue last year during one of our frequent reviews. We are pleased to say it was resolved very quickly,” Rod Brooks, Domino’s head of IT, told Motherboard in a statement.
What is interesting to note is that Price cites the incident as having occurred three years ago, and Domino’s claims to have discovered the issue just last year. That’s a lot of free pizza for those whose taste buds fought off their conscience.