A trivial Mobi2Go proof of concept exploit that allows you to specify your own discount.
This bug was disclosed and fixed by Mobi2Go before the publishing of this POC.
Mobi2Go does not appear to be verifying that user input is valid. This is probably because there are few user-input fields to validate and it is assumed that any code running on a webpage is genuine. The easiest way to exploit this, with no modifications to the existing scripts on the page is to use the (mostly) unused tips field as follows:
Mobi2Go.Order.setTip(-100);
The example above sets the tip to -$100, which will then be subtracted from the order price.
Key Points to take away:
- Never trust input from a client outside your control, even if there is client side verification
- Do not allow setting of fields (like tip) when they are not needed
- Never, ever, ever allow the client to control the price
This is one of many similar exploit routes that could be taken.
Only tested in Firefox 51.0a2
- Install the Firefox Greecemonkey extension. May (untested) also work in TamperMonkey for Google Chrome.
- Click here to install the script from this repository.
- Navigate to any Mobi2Go web store. A non-exhaustive list includes:
- HellsPizza
- BurgerFuel
- BurgerWisconsin
- Corianders
- Pita Pit
- Mexicali Fresh
- La Porchetta
- Camile
- Habitual Fix
- BurgerBurger
- Bird On A Wire
- Mr Burger
- More.... There are so many that I am concerned that this hasn't been found before now.
- Proceed with order as usual.
- A new section will appear above your order called 'Discount'. Use this section to select your discount.
- Checkout. Your custom discount will be applied (no verification....?!)
These haven't been explored to the same extent.
- It appears that it is possible to set the price of food items
- The mobile app. Major chains such as McDonalds use this.