Probably an extreme case of paranoia on my part, but Domino's should probably close this as a vulnerability, right?
If I knew someone's phone number I could potentially use this to impersonate a delivery driver to gain access to someone (at a residential address or business)...
I mean sure, I could just knock on a door or walk in impersonating someone else... but expecting a pizza delivery is different than ignoring/alerting someone to an unknown solicitor.
OR you could also potentially use it to locate someone based on phone number by following a delivery driver from the local Domino's?
You could also just use it to steal pizza. Just find the contact information of a bunch of people in a nearby condo building and wait at the door and say "Oh is that for John Doe? That's me, I'll take it"
... or, you could pull out a phone directory and get the landline numbers for everyone in a nice wealthy neighborhood. Wait until someone orders a pizza, and when the driver gets there you rob him.
No connection to the neighborhood makes it very difficult to track down the perpetrator, and doing it in nice neighborhoods means that the driver is less likely to suspect trouble and more likely to be carrying cash.
Funny related story. When I was at GaTech my dorm room (actually a 4 room suite) phone number was 4046.
Now GaTechs area code happens to be 404 and there are few biz that share that area code. One notable one was a Papa Johns 404-6xx and some more numbers you can google.
The key thing is if you have a dorm phone you have to dial 9 to dial out... you see where I'm going with this...
My junior and senior and +.5 super senior year (alas that is another GT thing) I took hundreds of orders with credit card numbers.
Now I never did anything bad with those credit cards but there sure were a lot of angry people that didn't get their pizza (some I would call back and tell them but it got pretty annoying so....).
The really funny thing was there were even faculty and staff that made this mistake. You could say they got shafted (another GT thing).
I strangely miss that Papa Johns. Their garlic sauce was so glorious and yet so disgusting. It was like liquid cocaine transfat.
If you were going to take the credit card info, why couldn't you just MitM the whole order and ask the restaurant to spell out "9 to dial out" with some anchovies?
We did do stuff like that. There was Chinese restaurant that we forwarded an order too but pretended to be the Chinese restaurant. We actually tried to talk them out of the order yet they kept ordering. We said things like "oh that tastes like dog and smells like skunk... you still want?" (apologies if I offend anyone with terrible stereotypes). They preceded to still order though!
Funny this comes up! Dominoes used to use a single integer ID per order, and I wrote a tool to find out how many orders they process each day[1]. After contacting them (and receiving no reply!) they switched to a proper implementation involving GUID's.
Good work though, I had no idea the dominoes USA website lets you just enter a phone number to get order details. That's pretty poor
> I'm actually surprised that they can fit their daily order number into a standard integer.
What's a 'standard integer'?
The ID in the URL is just a string of digits, and you don't have to be that careful (in simple scripts like this at least) for Python not to care how high you go.
>The URL contains a string of digits as the order ID, if that's not where you think the problem is, where?
A string of numbers != an integer, saying an integer in an ambiguous settings where for many people it's +-32K or 65K for unsigned often creates some confusion.
Not in Python, as I said:
> ... you don't have to be that careful (in simple scripts like this at least) for Python not to care how high you go.
Python cares very much how high you go, Python sets a limit to integers also which is 2^31-1 for 32 bit and 2^63-1 for 64 bit runtimes.
So even with Python if once you commonly go above 2147483647 you'll get into problems ;)
I'm well aware. I'm just trying to understand where you think the problem is.
> Python cares very much how high you go, Python sets a limit to integers also which is 2^31-1 for 32 bit and 2^63-1 for 64 bit runtimes.
Try this:
>>> print(f'Are you sure dogma? {2**128}')
Are you sure dogma? 340282366920938463463374607431768211456
> So even with Python if once you commonly go above 2147483647 you'll get into problems ;)
I didn't claim it never goes wrong. I said 'in simple scripts like this', I had a quick look after you expressed surprise that their orders fit into 'standard integers', and I didn't see anything that would impose such a restriction.
> The fact that you can print a multiplication doesn't mean it's an integer :P
I mean, we're circling back on it on 'what do you mean by...' - and my basic point which is a lot of the time, especially for simple stuff like this, it's completely arbitrary.
You can tell me it "doesn't mean it's an integer" all you like, it's integer enough.
Perhaps this whole thread would have been better summarised if I'd initially asked Where is it being stored as what you're terming a 'standard integer'?
Edit - actually, I did ask that, in my second reply:
> My point is - where do you think the problem is?
At this point I think it's a generational thing.
When I hear Int i see -+32,767 even tho 4 Byte Ints were much more common for me :)
And yes I know that the definition of an integer is any whole number including zero, but still some of us still think in datatypes.
And since many (or most) languages still limit Int (at least by default) to 4 or 2 bytes that was what brought it up.
And to some extent I see this problem every day that people define datatypes too casually like defining an interoperable interface with a datatype of Int and then pushing 340282366920938463463374607431768211456 through it without thinking about datatypes in different languages.
(That's a random UUID so it doesn't work. I've got some working UUIDs in my browser history, but not sharing them since they tell you my home address..)
What an idiotic url scheme. Learn a few people's phone numbers and steal their pizza orders. I bet you can learn all sorts of things about people from their pizza orders.
I've struggled with Domino's design in the past when attempting to order after disabling a VPN connection in the same browser session- last I checked Dominos offered no way to not redirect to the country they detect for the IP address. Incredibly frustrating.
Job well done. In the spirit of "Friends don't let friends", I suppose.
Seriously, against my better instincts I had more than a few slices of their "product" at a meetup the other night. My innards are still cursing me for it.
https://order.dominos.com/orderstorage/GetTrackerData?Phone=...
for each phone number of input.
(Also, this is the original post, may want to edit the link: http://www.technologyversus.com/pizza/ )