I wrote a program that emails me when one of my friends orders Domino's (reddit.com)
43 points by danjoc 2 hours ago | hide | past | web | 9 comments | favorite





This is hilarious. Apparently Dominos exposes active order tracking information with only a phone number needed. The code in the OP just requests

https://order.dominos.com/orderstorage/GetTrackerData?Phone=...

for each phone number of input.

(Also, this is the original post, may want to edit the link: http://www.technologyversus.com/pizza/ )

Better use a burner phone if you don't want your friends to find out you like terrible pizza.

Probably an extreme case of paranoia on my part, but Domino's should probably close this as a vulnerability, right?

If I knew someone's phone number I could potentially use this to impersonate a delivery driver to gain access to someone (at a residential address or business)...

I mean sure, I could just knock on a door or walk in impersonating someone else... but expecting a pizza delivery is different than ignoring/alerting someone to an unknown solicitor.

OR you could also potentially use it to locate someone based on phone number by following a delivery driver from the local Domino's?

You could also just use it to steal pizza. Just find the contact information of a bunch of people in a nearby condo building and wait at the door and say "Oh is that for John Doe? That's me, I'll take it"

Depending on the location, you could just stand outside of the person's house and end up with an almost free pizza.

Almost free because you shouldn't forget to tip the driver you're stealing the pizza from!

Tipping is not customary in many countries outside the US. Here in The Netherlands it would be free :D

Should be pretty easy to fix. Just HMAC (or just concatenate pepper and hash, honestly) the phone number and use that as the identifier.

That seems a rather big privacy issue on Domino's part.

I wonder if it also opens the doors to some kind of social engineering attack, with someone pretending to be Domino's asking for money over the phone.

As an aside I thought this is rather cool - Pizza Party a CLI for Domino's https://www.youtube.com/watch?v=J691aLfkWP0

(One day I'd like to be able to afford to cron job something like that ;)

What an idiotic url scheme. Learn a few people's phone numbers and steal their pizza orders. I bet you can learn all sorts of things about people from their pizza orders.

How did you know? I mean, is it a habit of the author to sniff for unprotected/useful APIs, or was the word on the street about Domino's crap privacy?

