Series — Discovering Business Logic Flaws

Act 7 — One (Bug)Mac please!

Courtesy: khytal

Watch this video!

Courtesy: Moshe Tamssot

A typical Big Mac has two juicy beef patties with melted American cheese, pickles, onions, lettuce and McDonald’s Special Sauce on a toasted sesame bun. Majority of us have spared no time in taking a big, juicy bite at least once in our lifetime.

Not too long ago Moshe Tamssot outwitted the self serve kiosk at McDonalds to place an order for an enormous (Bug)Mac — no pun intended.

Let’s reconstruct the events:

1. Using the kiosk, Moshe literally add multiple 10x sides and toppings to his single order
2. There was no threshold set to the max times a topping can be added in association to a single order
3. Upon completion of order, the system indicated that it would take 8–10 minutes to prepare his order.
4. The system is using a default upper bound SLA threshold. If this SLA is exceeded, the customer is possible incentivized with a free order. SLAs should take order details, real time queue information and other variables to compute threshold.
5. The cashier was awe struck with this order amount and calls for the manager to deal with this circumstance.
6. The billing POS terminal was perhaps not tuned to deal with this high price.
7. Eventually, Moshe was rewarded with a (Bug)Mac at no cost.

Humor aside, such business flaws have a negative ripple effects.

The viral coefficient of this youtube posting would have led others to abuse this flaw as well before an update was pushed to all kiosks worldwide. Upholding their high standards of service, McDonalds accepted this order at no cost to Moshe which might most likely have taken over 15 mins to prepare, thereby impacting those waiting behind him at the dine-in and drive-in.

Ironically, this is one of those types of flaws that’s all but impossible for an automated web application vulnerability scanner to discover.

How can such flaws be identified and thereafter avoided?

Is there a human assisted expert system available to check your specific application belonging to a specific business domain for design flaws that can be exploited?

Yes, such a system does exist. At the series finale I will reveal how this expert system can be utilized to identify such flaws.

This post is one of a seven part series on finding business logic vulnerabilities in your code. To learn more, please read the full series here:

Act 1 — What is a business logic flaw?
Act 2 — Attack like its 1999
Act 3 — The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet
Act 4 — Outbidding
Act 5 — Pusher in Coinbase cookie
Act 6 — Your data has been breached, now what?
Act 7 — One (Bug)Mac please!