The flaw - fixed at 10am this morning - was spotted yesterday by a Twitter user, James Harland, who noticed after ordering his own pizza online that it was relatively easy to find other customers' order numbers. That exposed their nearest Domino's, their pizza order and their first name.
The flaw stemmed from Domino's use of an encoding scheme to transfer customer information, without actually encrypting it.
So it would seem @Dominos_UK allow you to view anyone's pizza status. It's just a sequential order ID base64 encoded pic.twitter.com/vkF7UbFoUl
— James Harland (@JamesH) November 8, 2015
As security vulnerabilities go, this one is relatively inoffensive, since the flaw doesn't expose last names, card details or addresses. But any exposure of location and name could lead to social engineering, even if that only results in a lifetime free pizza for the hacker.
Domino's UK said it has now fixed the issue.
The breach comes shortly after the attack on TalkTalk, the biggest on any British company. The ISP this week admitted that 156,959 customers were affected by the hack. Of those, some 15,000 had bank details and sort codes accessed by hackers, while 28,000 card details were accessed.
Domino's franchises in France and Belgium suffered a serious breach last year, with hackers demanding a €30,000 (£24,000) ransom for a database of 600,000 customers' details.
Update: Marketing's original article stated that Domino's UK was working to fix the issue. The company has since clarified that the issue was fixed at 10am this morning (10 November), ahead of the article's publication. Marketing apologises for any confusion.
.jpg)
