Short Bytes: Paul Price, a security consultant from the UK, found a bug in Domino’s Pizza app that allowed him to get free pizza without making any payment. Here’s his story, telling more about the bug and what Price did when he came to know about the issue.
The same situation was presented in front of Paul Price, a security consultant from the UK, who found a bug in the British version of Domino’s Pizza app. He found that app’s API didn’t process the payments correctly.
As a result, if a user had enough technical knowledge, it would allow him/her to take advantage of the loophole and trick the pizza ordering application to accept invalid payments and ordering a free pizza.
“Errr, what? It looks like my order was placed without a valid payment,” Price wrote in a blog post. “Surely this is an oversight/edge case and Dominos’s will have back office checks in place before physically starting to prepare my order…right?”
Well, Price didn’t believe if the trick worked. So, to confirm the same, he called Domino’s to double check and he came to know that his pizza was being prepared.
“I called the store and they confirm they have received my order and it will be delivered within the next 20 minutes. My first thought:awesome. My second thought: shit” — he writes in his blog post.
It turns out that when the pizza came at his doorstep, Price told the delivery guy that there must have been a mistake with the order as he never made the payment. So, he paid £26 and kept his conscience clean.
Domino’s Pizza have since resolved this bug. So, Price decided to share the story with others.
“We take security extremely seriously and discovered this issue last year during one of our frequent reviews. We are pleased to say it was resolved very quickly,” says Rod Brooks, Domino’s head of IT.
What are your thoughts regarding this incident? What would’ve been your response after finding out such vulnerability?