Imagine having access to unlimited amounts of Dominos Pizza?
Paul Price, an IT Cyber security consultant, stumbled upon a way to order Dominos Pizza without having to pay.
When he was ordering through the app, his curiosity got the better of him as to how it works and he innocently decided to nosy around the apps source code.
While he was looking through the code he noticed something. On his blog, he said, “Something immediately catches my eye…
“The Domino’s app itself was processing payments client side via a payment gateway.
“This isn’t inherently bad if it has been correctly implemented with the appropriate server side checks – it’s just bad practice. Usually, payments would be processed server side so that the process is hidden and out of the hands of meddling users.”
Next, he purposely made an order on the app with an incorrect credit card and decided to try and manipulate the code on the app after the order was rejected.
He made some changes to the code, including swapping ‘DECLINED’ for ‘APPROVED’ and to his surprise his order was accepted.
Twenty minutes later his free pizza was delivered.
Paul, being the honest person that he is, wouldn’t let the driver leave without paying for it.
Paul also added, “Domino’s have since resolved the issue and is one of the reasons why I’ve decided to post this article. Payments are still being processed client side but they now have the proper server side checks in place.”
