Remediated | Pizza Hut MEA Leaking Customer Information

I thought I'd update this post on the events that unfolded rather than do a new post which would lose the context.

The main aim of this post was to flag someone's attention at Pizza Hut, which it achieved.
My main concern was that personal information was accessible and not the technical aspects that accompanied it.

I managed to catch the attention of Pizza Hut SA management who reached out to me.
The reassuring thing was that there no denial of the issue or trying to blame a scapegoat.
Genuine concern over protection of private customer information and trying to get everything resolved(Pizza Hut's online sales data was also accessible).

I was kept in the loop along the way but it became apparent the vulnerabilities didn't sit in the domain of Pizza Hut but with their vendor who managed their online store.
A vendor with 200+ other enterprise customers around the world.

The vulnerabilities I uncovered were quickly resolved.

It became my own butterfly effect moment, if I never uncovered this and if Pizza Hut SA never reached out to their vendor. They'd be 200+ online stores with private customer information accessible.

Below is the original post, redacted due to an ongoing security audit.


I'm going to start this post of with a statement that I don't go around prodding for security holes in websites.
I was querying my own order on Pizza Hut's South African website when I discovered this.
I did reach out to Pizza Hut SA, but I was ignored and my concerns not taken seriously so hence this post.


Redacted