Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Domino’s hack: A lifetime of free pizza just one poor security practice away

Share

A poor security practice in the payment authentication process in the Domino's Pizza Android mobile application allowed a U.K. security consultant to order a pizza free of charge.

Researcher Paul Price found the app was processing payments client side via a payment gateway, according to an April 4 blog post.

Price said the method itself isn't inherently risky if implemented correctly, but can be a bad practice because it allows users to manipulate functions.

In this case, Price was able to intercept the payment response and manipulate values to make the system accept invalid payment card numbers. Price said the hack was possible because Domino's didn't verify the reference on the server side.

The issue has since been resolved and that Price said he paid for the pizza when it arrived.

“The moral of the story is to always validate your inputs server side,” he said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.