Domino's hack: A lifetime of free pizza just one poor security practice away

Researcher takes advantage of poor payment authentication security practices at Domino's pizza app to get a free pizza.
Researcher takes advantage of poor payment authentication security practices at Domino's pizza app to get a free pizza.

A poor security practice in the payment authentication process in the Domino's Pizza Android mobile application allowed a U.K. security consultant to order a pizza free of charge.

Researcher Paul Price found the app was processing payments client side via a payment gateway, according to an April 4 blog post.

Price said the method itself isn't inherently risky if implemented correctly, but can be a bad practice because it allows users to manipulate functions.

In this case, Price was able to intercept the payment response and manipulate values to make the system accept invalid payment card numbers. Price said the hack was possible because Domino's didn't verify the reference on the server side.

The issue has since been resolved and that Price said he paid for the pizza when it arrived.

“The moral of the story is to always validate your inputs server side,” he said. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS