
I wrote a program that emails me when one of my friends orders Domino's - danjoc
https://www.reddit.com/r/Python/comments/5wec78/i_wrote_a_program_that_emails_me_when_one_of_my/
======
kevinschumacher
This is hilarious. Apparently Dominos exposes active order tracking
information with only a phone number needed. The code in the OP just requests

[https://order.dominos.com/orderstorage/GetTrackerData?Phone=...](https://order.dominos.com/orderstorage/GetTrackerData?Phone=5555555555)

for each phone number of input.

(Also, this is the original post, may want to edit the link:
[http://www.technologyversus.com/pizza/](http://www.technologyversus.com/pizza/)
)

------
accountface
Probably an extreme case of paranoia on my part, but Domino's should probably
close this as a vulnerability, right?

If I knew someone's phone number I could potentially use this to impersonate a
delivery driver to gain access to someone (at a residential address or
business)...

I mean sure, I could just knock on a door or walk in impersonating someone
else... but expecting a pizza delivery is different than ignoring/alerting
someone to an unknown solicitor.

OR you could also potentially use it to locate someone based on phone number
by following a delivery driver from the local Domino's?

You could also just use it to steal pizza. Just find the contact information
of a bunch of people in a nearby condo building and wait at the door and say
"Oh is that for John Doe? That's me, I'll take it"

~~~
TheSwordsman
Depending on the location, you could just stand outside of the person's house
and end up with an almost free pizza.

Almost free because you shouldn't forget to tip the driver you're stealing the
pizza from!

~~~
azeirah
Tipping is not customary in many countries outside the US. Here in The
Netherlands it would be free :D

------
agentgt
Funny related story. When I was at GaTech my dorm room (actually a 4 room
suite) phone number was 4046.

Now GaTechs area code happens to be 404 and there are few biz that share that
area code. One notable one was a Papa Johns 404-6xx and some more numbers you
can google.

The key thing is if you have a dorm phone you have to dial 9 to dial out...
you see where I'm going with this...

My junior and senior and +.5 super senior year (alas that is another GT thing)
I took hundreds of orders with credit card numbers.

Now I never did anything bad with those credit cards but there sure were a lot
of angry people that didn't get their pizza (some I would call back and tell
them but it got pretty annoying so....).

The really funny thing was there were even faculty and staff that made this
mistake. You could say they got shafted (another GT thing).

I strangely miss that Papa Johns. Their garlic sauce was so glorious and yet
so disgusting. It was like liquid cocaine transfat.

~~~
logfromblammo
If you were going to take the credit card info, why couldn't you just MitM the
whole order and ask the restaurant to spell out "9 to dial out" with some
anchovies?

~~~
agentgt
We did do stuff like that. There was Chinese restaurant that we forwarded an
order too but pretended to be the Chinese restaurant. We actually tried to
talk them out of the order yet they kept ordering. We said things like "oh
that tastes like dog and smells like skunk... you still want?" (apologies if I
offend anyone with terrible stereotypes). They preceded to still order though!

------
nsxwolf
Better use a burner phone if you don't want your friends to find out you like
terrible pizza.

------
orf
Funny this comes up! Dominoes used to use a single integer ID per order, and I
wrote a tool to find out how many orders they process each day[1]. After
contacting them (and receiving no reply!) they switched to a proper
implementation involving GUID's.

Good work though, I had no idea the dominoes USA website lets you just enter a
phone number to get order details. That's pretty poor

1\. [http://tomforb.es/counting-pizza-with-python](http://tomforb.es/counting-
pizza-with-python)

~~~
dogma1138
I'm actually surprised that they can fit their daily order number into a
standard integer.

~~~
OJFord
> _I 'm actually surprised that they can fit their daily order number into a
> standard integer._

What's a 'standard integer'?

The ID in the URL is just a string of digits, and you don't have to be that
careful (in simple scripts like this at least) for Python not to care how high
you go.

~~~
dogma1138
Commonly 65535 (for uint) :) A string of digits doth not an integer make.

~~~
OJFord
My point is - where do you think the problem is?

> _A string of digits doth not an integer make._

The URL contains a string of digits as the order ID, if that's not where you
think the problem is, where?

> _Commonly 65535 (for uint)_

Not in Python, as I said:

> ... you don't have to be that careful (in simple scripts like this at least)
> for Python not to care how high you go.

~~~
dogma1138
>The URL contains a string of digits as the order ID, if that's not where you
think the problem is, where?

A string of numbers != an integer, saying an integer in an ambiguous settings
where for many people it's +-32K or 65K for unsigned often creates some
confusion.

Not in Python, as I said: > ... you don't have to be that careful (in simple
scripts like this at least) for Python not to care how high you go.

Python cares very much how high you go, Python sets a limit to integers also
which is 2^31-1 for 32 bit and 2^63-1 for 64 bit runtimes. So even with Python
if once you commonly go above 2147483647 you'll get into problems ;)

~~~
OJFord
> _A string of numbers != an integer_

I'm well aware. I'm just trying to understand where you think the problem is.

> _Python cares very much how high you go, Python sets a limit to integers
> also which is 2^31-1 for 32 bit and 2^63-1 for 64 bit runtimes._

Try this:

    
    
        >>> print(f'Are you sure dogma? {2**128}')
        Are you sure dogma? 340282366920938463463374607431768211456
    

> _So even with Python if once you commonly go above 2147483647 you 'll get
> into problems ;)_

I didn't claim it never goes wrong. I said 'in simple scripts like this', I
had a quick look after you expressed surprise that their orders fit into
'standard integers', and I didn't see anything that would impose such a
restriction.

~~~
dogma1138
The fact that you can print a multiplication doesn't mean it's an integer :P

Use sys.maxint / sys.maxsize =) 2147483647 is the limit for 32bit systems as I
said, 2^63-1 is for a 64bit run time.

~~~
OJFord
> _The fact that you can print a multiplication doesn 't mean it's an integer
> :P_

I mean, we're circling back on it on 'what do you mean by...' \- and my basic
point which is a lot of the time, especially for simple stuff like this, it's
completely arbitrary.

    
    
        >>> print(int(2**128))
        340282366920938463463374607431768211456
    

You can tell me it "doesn't mean it's an integer" all you like, it's integer
enough.

Perhaps this whole thread would have been better summarised if I'd initially
asked Where is it being stored as what you're terming a 'standard integer'?

Edit - actually, I did ask that, in my second reply:

> My point is - where do you think the problem is?

~~~
dogma1138
At this point I think it's a generational thing. When I hear Int i see
-+32,767 even tho 4 Byte Ints were much more common for me :)

And yes I know that the definition of an integer is any whole number including
zero, but still some of us still think in datatypes. And since many (or most)
languages still limit Int (at least by default) to 4 or 2 bytes that was what
brought it up.

And to some extent I see this problem every day that people define datatypes
too casually like defining an interoperable interface with a datatype of Int
and then pushing 340282366920938463463374607431768211456 through it without
thinking about datatypes in different languages.

------
anfractuosity
That seems a rather big privacy issue on Domino's part.

I wonder if it also opens the doors to some kind of social engineering attack,
with someone pretending to be Domino's asking for money over the phone.

As an aside I thought this is rather cool - Pizza Party a CLI for Domino's
[https://www.youtube.com/watch?v=J691aLfkWP0](https://www.youtube.com/watch?v=J691aLfkWP0)

(One day I'd like to be able to afford to cron job something like that ;)

------
skissane
Dominos Australia uses a UUID instead:

[https://internetorder.dominos.com.au/eStore/en/Tracker?order...](https://internetorder.dominos.com.au/eStore/en/Tracker?order=bcceddc4-58a9-4398-8ce2-dc983dfdb678)

(That's a random UUID so it doesn't work. I've got some working UUIDs in my
browser history, but not sharing them since they tell you my home address..)

------
coldcode
What an idiotic url scheme. Learn a few people's phone numbers and steal their
pizza orders. I bet you can learn all sorts of things about people from their
pizza orders.

------
bnj
I've struggled with Domino's design in the past when attempting to order after
disabling a VPN connection in the same browser session- last I checked Dominos
offered no way to not redirect to the country they detect for the IP address.
Incredibly frustrating.

------
kafkaesq
Job well done. In the spirit of "Friends don't let friends", I suppose.

Seriously, against my better instincts I had more than a few slices of their
"product" at a meetup the other night. My innards are still cursing me for it.

------
wimagguc
How did you know? I mean, is it a habit of the author to sniff for
unprotected/useful APIs, or was the word on the street about Domino's crap
privacy?

~~~
djrogers
Probably got an email with a link to his own order status and saw the phone
number in the URL...

~~~
bpicolo
It's somewhat obvious when all you need to do is submit your phone number to
track:
[https://www.dominos.com/en/pages/tracker/#/track/order/](https://www.dominos.com/en/pages/tracker/#/track/order/)

------
xg15
Next step: Make a Telegram bot that you invite in a group and that posts a
message whenever a group member ordered something.

The magic will be real.

------
danielhunt
It looks like HN and Reddit combined just DDOS'd Dominos.

Wow.

