Hacker finds way to get free pizza for life. Comes clean.
A computer hacker could have had free pizza for life, but is conscious got the better of him.
Paul Price, a computer security researcher in the UK, discovered a bug with the Dominos mobile app that allowed him to order free pizza, anytime he wanted. Well, presumably only when the store was open, but you get the picture.
Price was taking a look at how the Dominos ordering and tracking app on his mobile phone worked when he discovered that it was the app itself that was processing the payment details and sending them to the Dominos servers.
When it is the software that the customer is using that does all the processing, that is called “client side”. For security reasons, client-side processing generally isn’t advised because there is a higher chance the user can access and “hack” the code. The safer alternative is “server side” – where the processing is done on secure servers that sit behind security software and are much harder for someone to access.
Sponsored Content. Continued below...
But alas, in the case of the Dominos ordering app, the payment processing was done client-side on the app itself. This isn’t itself disastrous, as long as there are some server-side checks to make sure the data coming from the app hasn’t been tampered with.
But again, in this case, there were no server-side checks. This means Price was able to make an order for a pizza using faked credit card details, and then using special software he then tampered with the output sent from the app back to Dominos. Basically, Price was able to set the payment status value to 1, which meant accepted, when it would have otherwise said declined.
So off went Price’s order along with the tampered app data, and his local Dominos picked up the order and within minutes the Dominos app reported that his free pizza was being “prepped”.
However, Price got impatient. Did his spoof order really work?
A few minutes pass and the Pizza Tracker changes from “Order” to “Prep” and then to “Baking”. I couldn’t bear to wait another 30 minutes to see if an Americano pizza, Chicken Strippers and Chocolate Chip Cookie + Ice Cream side turn up at my door.
I called the store and they confirm they have received my order and it will be delivered within the next 20 minutes. My first thought: awesome. My second thought: s**t.
Price couldn’t accept the free pizza. He told the driver that he didn’t enter his credit card details and he paid for the pizza in cash.
Good news for all those pizza fans, right? Sadly not. Dominos reported they fixed the bug. Their servers are now performing the relevant checks to see if those payment details have been tampered with. Bad luck, then!
Continued below...
Thanks for reading, we hope this article helped, but before you leave us for greener pastures, please help us out.
We're hoping to be totally ad-free by 2025 - after all, no one likes online adverts, and all they do is get in the way and slow everything down. But of course we still have fees and costs to pay, so please, please consider becoming a Facebook supporter! It costs only 0.99p (~$1.30) a month (you can stop at any time) and ensures we can still keep posting Cybersecurity themed content to help keep our communities safe and scam-free. You can subscribe here
Remember, we're active on social media - so follow us on Facebook, Bluesky, Instagram and X