South African developer Lionel Chetty recently discovered a security flaw in Pizza Hut’s website which allowed users to view the information of clients who used it to place an order.
The flaw allowed an attacker to get a list of order numbers, then retrieve the information relating to that order – such as the client’s name, delivery address, and contact information.
Chetty’s description of the vulnerability suggested it was not simple to exploit, and an attacker needed an account on the Pizza Hut website and the developer tools of a web browser.
Initially, Chetty said he struggled to find someone to take his report seriously – but after publishing a blog post about it and reaching out to MyBroadband, Pizza Hut’s management made contact.
“The reassuring thing was that there was no denial of the issue, or trying to blame a scapegoat,” said Chetty.
He said there was genuine concern over the protection of private customer information, and attempts to resolve the issue.
Much bigger than Pizza Hut ZA
Following an investigation, it turned out the vulnerability was in the system of an unnamed third-party vendor who manages Pizza Hut’s online store, said Chetty.
The vendor has hundreds of other enterprise customers around the world, and Chetty said it quickly resolved the vulnerabilities he discovered.
He was informed that a security audit was also being conducted to ensure the vulnerabilities were fully addressed.
News of the vulnerability in Pizza Hut’s website comes after the company informed clients in 2017 that a hacker had breached its systems at the beginning of October – and made off with customer data.
Compromised information included payment card credentials – including card numbers and verification codes – of clients who used the company’s website or app for a 28-hour period between the morning of 1 October and midday on 2 October.
“Pizza Hut identified the security intrusion quickly and took immediate action to halt it,” the company said at the time.
“The security intrusion at issue impacted a small percentage of our customers and we estimate that less than one percent of the visits to our website over the course of the relevant week were affected.”
MyBroadband contacted Yum! Brands for comment on the latest website issue, but the company did not reply to questions.