In this post we are going to look at how a rather simple bug in a web application could lead to a significant damage of a business's marketing budget. The brand in question is a world famous fast food chain. As most consumer facing business do, this fast food chain had put up a feedback survey program offering 20% discount to those who participate in the program.
Feedback Program:
The survey is conducted online by a custom built web application. Inputs to the survey are
Restaurant Number
Date and Time of your previous visit
Receipt Number
Participants are expected to give the feedback within 3 days of their visit. Upon completion of the feedback survey, users are presented with a discount code that they're expected to present along with the previous receipt during the next visit, to avail the discount.The Goals of the Program is to perform a voluntary, timely, valid quality assurance and to ask the patrons for new suggestions.
Vulnerabilities:
We fired up burp to see what was going on. The application was pretty simple, a standard asp.NET web application.
No Captcha Since this is a survey program, as a business you want better and timely feedback, especially when you are offering a 20% discount. Absence of a good captcha could result in automating the survey thereby providing repeated low quality feedback.
Validation Failure The most important constraint in the feedback program is the receipt number. The receipt number makes sure that only those who had actually visited the restaurant are allowed to provide feedback, it also makes sure the receipt number cross-checks with the 3 day limit to enforce the time constraint. We found out that this Receipt number was never validated at all.
Business Impact:
Our assessment of this feedback program shows that, at its current implementation,
The whole program is vulnerable to Automated low quality feedback which isn't time bound.
Vulnerable to spam feedback messages.
Competitor undermining the QA process.
All while taking the "20% discounted price" hit out of the marketing budget.
Comments