Extra cheese, pepperoni….and software vulnerabilities?
Paul Price, a computer security researcher based in the United Kingdom, three years ago hit the pizza jackpot. He found a computer bug affecting a Domino’s mobile app on Google (GOOG) Android that allowed him to place orders free of charge.
After requesting a pepperoni, mushroom, and pineapple pie through the app, Price decided to poke around the source code, he writes on his personal blog. That’s when he discovered a poorly contrived—and easily exploitable—payment process.
Get Data Sheet, Fortune’s technology newsletter.
All Price had to do to hack the system was to input some obviously fake debit card information (Visa (V) number: 4111111111111111), intercept the traffic between his phone and Domino’s (DPZ) computer servers, and tweak the data that typically turns up an error message, he says. Literally, he rewrote some code to read “accepted” instead of “declined,” which green-lit the order.
“Errr, what? It looks like my order was placed without a valid payment,” he writes, recalling his incredulous reaction. Price then contacted the store to confirm that the pie was in the oven and would be delivered shortly, at which point he realized that he would have to set the matter aright.
For more on pizza watch this video.
“My first thought: awesome. My second thought: shit,” Price recounts his internal dialogue. When the delivery person arrived, he explained that there had been a problem with his card. He reimbursed the courier in cash.
A Domino’s spokesperson emailed Fortune a statement attributed to Rod Brooks, the restaurant chain’s head of IT, who said the company had “discovered this issue last year during one of our frequent reviews. We are pleased to say it was resolved very quickly.”
This is not the first time Domino’s has accidentally given away free pizza. In March 2009, the restaurant chain mistakenly offered up 11,000 pies at no cost due to a website glitch.
No one may ever know how many slices hackers made off with as a result of the most recent flaw.
