I hacked a BIG prize web game hosted by a popular supermarket chain

12 points by fmdz ↗ HN
A few years back, a well-known supermarket chain, part of Delhaize Belgium, set up a prize game.

It was a web game where your prizes depended on your ranking. Since it was a web-based game, you can guess what might happen With a few tricks, I managed to tweak the scoring logic. I could award myself as many points as I wanted in each round.

The prizes were items worth more than $50 and there were over 100,000 items up for grabs.

After realizing this and placing myself high on the leaderboard with way more points than anyone else, I reached out to someone at Delhaize, via Linkedin, and let them know about this serious vulnerabilities in their game.

It's unbelievable, but they never fixed it, nor did they cancel the game. Of course, I never claimed my prizes, but it's quite a story about how nonchalant they were about the whole thing.

4 comments

[ 4.0 ms ] story [ 22.1 ms ] thread
I'm in the security industry and I would never do this. Most companies don't appreciate unauthorized pen tests and most likely will just send your name over to the local authorities. Most companies won't make changes, even when it's authorized.

Besides, why work for free?

(comment deleted)
Yeah most companies simply don't care, and/or they don't have the processes the address issues like that

They also likely get dozens of similarly looking messages each day from "developing country" "pentesters" for irrelevant issues, so your message could have also ended up with similar looking "spam"