Hacking Free Pizza for Life

Sometimes hackers do their thing for sheer financial gain as part of an organized crime ring or otherwise – but sometimes, they’re just looking for a slice of the good life.

As in, free delivery pizza for life – yeah, dawg.

Paul Price, a cybersecurity expert based in the UK, was able to exploit a bug in the Domino’s Pizza mobile app (featuring everyone’s favorite non-Siri voice assistant, “Dom”) to place an order for pizza without paying. He said that he noticed that once customers had finished ordering they would sometimes be sent a £10-off voucher code, indicating that the app was processing payments client side via a payment gateway – a far from best practice that leaves apps vulnerable.

After some probing around, he had an exploit and was soon awaiting his cheese-tastic, totally free prize. “I called the store and they confirmed they have received my order and it will be delivered within the next 20 minutes,” he told the Telegraph. “My first thought: awesome. My second thought: s—t.”

To his credit, he ended up paying the delivery driver and alerting the pizza chain, which fixed the app, but it points out an all-too-common developer error. “In this case the hack comes down to the developer not remembering that the application exists in a hostile environment,” Paul Farrington, senior solution architect at Veracode, told Slack. “Developing applications that exist on a user’s device takes the problem to the next level. The threat model is completely different. These apps can be reversed engineered, or communication intercepted and changed with relative ease.”

As easy as, well, pie.

Math Guy: Perfect for 30K+ Women on OK Cupid

When you’re an applied math grad student logging a lot of thesis time, sleeping on a pallet in one’s cubicle, it’s hard to get out there and find your soulmate. However, one enterprising young man figured out how to find not just one, but tens of thousands of potential forever-people. He did it the not-so-old-fashioned way: he used a computer algorithm to optimize his OK Cupid profile.

As he laid out on an episode of The Secret Life of Scientists & Engineers, Math scholar Chris McKinlay parlayed his experience working with supercomputers to analyze OKCupid’s question data, which the dating service uses to determine compatibility.

True to his left-brain characteristics, he went about the whole thing in a logistic manner. “The first thing he noticed was that women in Southern California tended to select questions that clumped up into seven categories,” Sophos Security explained.

“Looking at those subsets, McKinlay chose a category that corresponded with the type of woman he’d like to date. Next, he wrote some code to determine which questions were most important to the type of women he felt drawn to. Then, McKinlay determined which of those questions he’d feel comfortable answering truthfully.”

The next thing he knew, he had become the top match for 30,000+ women – receiving up to 10 unsolicited messages per day. Then he set about becoming a dating robot, meeting one woman per day in a series of what he called “efficient and depersonalized dates.”

“I was trending globally,” he said. Not bad for a math dude.

The funny thing is, the whole thing worked out well for him: he actually went on to get engaged to date No. 88, who presumably didn’t mind his ruthlessly efficient approach to romance. So, the moral of this thoroughly modern and IT-tastic story is this: you can kiss a lot of frogs, but why not just get a computer algorithm to do the frog-kissing for you?

Man Arrested After Tagging Himself as Rioting

Hey kids, here’s a tip: if you’re engaging in a riot, it’s probably not a good idea to “check in” for the proceedings on Facebook. It never fails to amaze this Slacker how some people don’t grasp the concept that a social network is, well, social.

Robert Darragh, 21, was arrested for rioting and sentenced to two years (one of them to be spent in jail, the other on probation) after participating in the parade violence in the Woodvale/Twaddell area of Belfast last July. It was a serious event: The BBC reported that a total of 29 police officers were injured during the rioting “after police lines were pelted with masonry, bricks, bottles and other items, with one officer almost losing an ear.”

Darragh, who later admitted to throwing items at police lines, had covered his face and had his hood up to avoid being identified on CCTV while the outbreak was going on. However, that prudence evaporated when it came to letting his friends know what was up, tagging himself not once but twice as being at the riot.

The article doesn’t say what, exactly, Darragh said. We’re hoping it was something like, “TOTALLY hangin’ at the riot!!!! #SundayFunday”

A defense lawyer said that when questioned by police about his involvement, Darragh somewhat lamely said that he could not remember quite what he had been up to virtually or otherwise, “as he had been on a three-day binge.”

What’s Hot on Infosecurity Magazine?