Recreating the memories of the infamous McDonald’s Data Breach of 2010, Domino’s India has sent out a email to all their registered Online Store customers about a “hacking attempt” yesterday.
Quoting the email message -
We have come to know that someone has hacked our website with the malicious intent and with the help of a script, managed to extract some information on customer phone no.s, email id and delivery address of some customers. Although this data is not classified information about our customers, still as a responsible corporate we thought its our duty to inform you about this. (Full Email).
It reminded me of the Facebook Vulnerability, that we had discovered a while back. Since, our team had discovered the Domino issue in early December 2010, there are a few additions to the above information -
- The flaw was in the data API that Domino’s Pizza had in place. It was a open API (with full documentation at the index!), and it was very trivial to extract information based on randomly generated phone numbers.
- The Email quoted above described the problem because of the delay in IVR authentication, but the fact remains that the data API site did not use any authentication, captcha or request throttling mechanisms. In fact, as stated, the whole documentation to use the API was listed publicly.
- We had tried to contact Domino’s customer care over phone, but helpdesk wasn’t able to connect us to the right technical contact. This is a common problem in the responsible disclosure path. After a few attempts, we sidelined (and forgot about) the issue, and ordered from Pizza Hut instead.
. We should have emailed them. (Although I doubt if it would have made much difference, seeing the attitude of some previous disclosures with other concerns.)
As a day-to-day user of similar services, we have found some more similar issues in other sites and applications. Although these types of issues are not very technically advanced vulnerabilities, they can lead to privacy breaches. We will be releasing few of them soon, but this time, only after trying to communicate the issues via all possible means. Watch this space!
