survey
Are you going to eat at McDonald’s?
–
–
–
It all started with a receipt, explains 23-year-old software developer David Albert. If you order something in the store, there is a URL on it to take part in a survey. If you fill in the information there, you will receive a coupon for a free drink.
Free burger
He noticed that the same information was always sent to the server. So he wrote a tool that pretends to keep polling. “I then receive a freshly generated code every time that can be redeemed for a whole month,” Albert told Vice.com.
Lenny Bakkalian, a colleague of Albert and also a computer scientist, discovered another gap in the system. This builds on the code generator. It would be possible to order hundreds of burgers or thousands of drinks with it – for free.
So the hack goes
For the free order, they used an internet hotspot, a cell phone and a notebook. The order was placed via the app. There they then entered the coupon number for the free drink. They intercepted the order on the PC. This could be manipulated using a tool they had developed themselves.
They cheered as many articles under the coupon section. The demo included curly fries, three fries, one chicken nuggets and a fanta. Then they sent the order. Cost point: 0.00 instead of 17 euros.
The trio emphasizes that they did not want to enrich themselves illegally. When the three picked up the order and explained what had happened, the store manager declined payment several times. They decided to give the food to the homeless.
Gap closed
Already in November, they reported the vulnerability to McDonald’s, Albert told Vice.com. He feared that someone could automate the hack and enrich it. The fast food chain tells the online magazine that the app meets conventional security requirements. The vulnerability was closed in mid-December.
(Tob)
– ,
Related
