0

Recently my buddy at work wanted to order some food for lunch from a website that we usually order from. The site allows the visitor to become a member of the site by registering and then logging in.

By becoming a member they can basically track your orders allowing you to collect "bonus points" have you. Similar to a lot of things at least here in the US where you can obtain free stuff based on points.

Because we often buy from this site we had some points to get some free food. We did not however have enough to get a couple of large pizzas, only off by around 20 points. The guy I work with is a beginner developer who concentrates on user interfaces. I am a bit more experienced and know a bit more about server side / client side code as well as databases. While ordering we were discussing how sites like the one we were on sanitize inputs as well as a discussion about sites validating data on the client and server side.

As he wanted to see some stuff I was able to show him from this site that yes in fact they were validating on the client side and the server side when you ordered regular items from their menu. As we were on the bonus points page where you can add items using your points I noticed some very questionable code on the client side. I noticed some fairly odd ajax calls that were simply passing in the cost (in points for an item) as well as the logged in users points. This way they could do a check if(userPoints >= neededPoints){ //allow adding for free } else { //don't! }.

The problem is this can easily be compromised. Sure enough I could make the ajax call and allow me to obtain the item even if I did not have any points. Surely I thought when I "submitted" my order the server side would catch this...so my buddy said try it. We tried it and it went through...drove to the pizza place and sure enough the food was made. Mind you I ended up giving this local place what it would normally cost us to order the pizza. Since this was a local chain they did not know what the issue is and I told them I would contact the corporate branch to remedy the situation. No one has gotten back to me. Should I continue to contact the corporate office and send emails stating that their site was vulnerable? What can I do to convey the message that they have a problem that needs to be fixed asap.

Please note the existing "dupe" that someone linked to doesn't help me as I cannot contact the developers.

JonH
  • 137
  • 1
  • 10
  • @AndrolGenhald - That question doesn't help me because I cannot get to the developers - hence my question... – JonH Aug 16 '18 at 15:38
  • 2
    The only real difference between this and the duplicates others are listing are, you don't know how to contact the developers. In this case, the local franchise owner should have a more direct line to corporate than "normal" customers like you. Have the franchisee call and start the conversation saying that a customer figured out how to steal pizza from them. Then follow responsible disclosure. -- Also I've found that vulgarly insulting the intelligence of the developers in the email doesn't get a response, but does get quick results, as the cust. svc. reps pass that email around. – Ghedipunk Aug 16 '18 at 15:50
  • going to downvote this, as this is off topic, and not described as a question – Kristoffer Tølbøll Feb 01 '19 at 17:08

0 Answers0