Hacker finds way to get free pizza for life. Comes clean.

ByCraig Haley

A computer hacker could have had free pizza for life, but is conscious got the better of him.

Paul Price, a computer security researcher in the UK, discovered a bug with the Dominos mobile app that allowed him to order free pizza, anytime he wanted. Well, presumably only when the store was open, but you get the picture.

Price was taking a look at how the Dominos ordering and tracking app on his mobile phone worked when he discovered that it was the app itself that was processing the payment details and sending them to the Dominos servers.

When it is the software that the customer is using that does all the processing, that is called “client side”. For security reasons, client-side processing generally isn’t advised because there is a higher chance the user can access and “hack” the code. The safer alternative is “server side” – where the processing is done on secure servers that sit behind security software and are much harder for someone to access.


Sponsored Content. Continued below...




But alas, in the case of the Dominos ordering app, the payment processing was done client-side on the app itself. This isn’t itself disastrous, as long as there are some server-side checks to make sure the data coming from the app hasn’t been tampered with.

But again, in this case, there were no server-side checks. This means Price was able to make an order for a pizza using faked credit card details, and then using special software he then tampered with the output sent from the app back to Dominos. Basically, Price was able to set the payment status value to 1, which meant accepted, when it would have otherwise said declined.

So off went Price’s order along with the tampered app data, and his local Dominos picked up the order and within minutes the Dominos app reported that his free pizza was being “prepped”.

However, Price got impatient. Did his spoof order really work?

A few minutes pass and the Pizza Tracker changes from “Order” to “Prep” and then to “Baking”. I couldn’t bear to wait another 30 minutes to see if an Americano pizza, Chicken Strippers and Chocolate Chip Cookie + Ice Cream side turn up at my door.
I called the store and they confirm they have received my order and it will be delivered within the next 20 minutes. My first thought: awesome. My second thought: s**t.

Price couldn’t accept the free pizza. He told the driver that he didn’t enter his credit card details and he paid for the pizza in cash.

Good news for all those pizza fans, right? Sadly not. Dominos reported they fixed the bug. Their servers are now performing the relevant checks to see if those payment details have been tampered with. Bad luck, then!

Keep up-to-date with all our latest articles. Follow us on Facebook, Instagram and Twitter.

Continued below...


Thanks for reading! But before you go… as part of our latest series of articles on how to earn a little extra cash using the Internet (without getting scammed) we have been looking into how you can earn gift vouchers (like Amazon vouchers) using reward-per-action websites such as SwagBucks. If you are interested we even have our own sign-up code to get you started. Want to learn more? We discuss it here. (Or you can just sign-up here and use code Nonsense70SB when registering.)

Become a Facebook Supporter. For 0.99p (~$1.30) a month you can become a Facebook fan, meaning you get an optional Supporter Badge when you comment on our Facebook posts, as well as discounts on our merchandise. You can subscribe here (cancel anytime.)