Remediated | Pizza Hut MEA Leaking Customer Information

I thought I'd update this post on the events that unfolded rather than do a new post which would lose the context.

The main aim of this post was to flag someone's attention at Pizza Hut, which it achieved.
My main concern was that personal information was accessible and not the technical aspects that accompanied it.

I managed to catch the attention of Pizza Hut SA management who reached out to me.
The reassuring thing was that there no denial of the issue or trying to blame a scapegoat.
Genuine concern over protection of private customer information and trying to get everything resolved(Pizza Hut's online sales data was also accessible).

I was kept in the loop along the way but it became apparent the vulnerabilities didn't sit in the domain of Pizza Hut but with their vendor who managed their online store.
A vendor with 200+ other enterprise customers around the world.

The vulnerabilities I uncovered were quickly resolved.

It became my own butterfly effect moment, if I never uncovered this and if Pizza Hut SA never reached out to their vendor. They'd be 200+ online stores with private customer information accessible.

Below is the original post, redacted due to an ongoing security audit.


I'm going to start this post of with a statement that I don't go around prodding for security holes in websites.
I was querying my own order on Pizza Hut's South African website when I discovered this.
I did reach out to Pizza Hut SA, but I was ignored and my concerns not taken seriously so hence this post.

The Problem

Pizza Hut's website will return you a list of their latest orders.
If you query the Order Id, you get returned the order info with the customer's details as well.

The Background

Pizza Hut SA Technology Profile. Using Built With, you can find out a lot about a website. I now know Pizza Hut SA is built in ASP.NET served by IIS hosted in Azure.
It also uses the MartJack Ecommerce Platform to run its store.

The How

If I go to Track Order and I'm not logged in. I'm presented with a page to enter my Order Id and Mobile Number.
By providing 0 as my Order Id and Mobile Number, the website makes a request to
https://www.pizzahut.co.za/MyAccount/TrackOrder/Track?OrderNo=0&EmailId=&MobileNo=0&selectedpage=1&pagesize=10
This returns back the latest 10 orders.

If I then login and make a request with any Order Id to
https://www.pizzahut.co.za/MyAccount/Orderdetail/{OrderId}
I'm returned the order details with the customer's information.


This issue isn't unique to the South African online store but also to the other Pizza Hut online stores that use MartJack.