Researcher Paul Price found the app was processing payments client side via a payment gateway, according to an April 4 blog post.
Price said the method itself isn’t inherently risky if implemented correctly, but can be a bad practice because it allows users to manipulate functions.
In this case, Price was able to intercept the payment response and manipulate values to make the system accept invalid payment card numbers. Price said the hack was possible because Domino’s didn’t verify the reference on the server side.
The issue has since been resolved and that Price said he paid for the pizza when it arrived.
“The moral of the story is to always validate your inputs server side,” he said.