POC of cracking the myhjexperience.com Validation Code ciphers
NOTE - This is just a Proof of Concept of how Hungry Jack's Validation Codes can be cracked and used to instantly (0.00001 seconds) generate valid Validation Codes from Order Codes and was not created with malicious intent.
At the bottom of the receipt, enter the first digit and last 3 digits of the Order Code into generate_validation_code.py
Example Receipt
Entering 1328 from the Example Receipt should produce 42132128.
Command Line Program
> python generate_validation_code.py
Call the function from command line
> python -c "from generate_validation_code import generate_validation_code; print(generate_validation_code(MY_ORDER_CODE))"
Tests
> python tests\test_crosscheck_generator.py
Context
Hungry Jack's has a continuous promotion where a customer can visit myhjexperience.com and enter their Order Code which is printed at the bottom of their receipt and fill out a survey to obtain a Validation Code which redeems for a free chips and drink on next purchase.
Bugs found in myhjexperience.com
After entering an Order Code, it turns out that myhjexperience.com checks for user input in the survey form once per page when pressing the "Next" button. If the "Next" button is pressed once more, the form simply skips to the next page in the survey, and this is repeatable until the final page where the Validation Code is shown to the customer.
Exploiting this bug
A Python-Selenium script (below) was used to navigate to myhjexperience.com and input a customer's Order Code to produce a Validation Code. scrape_code_to_spreadsheet.py was created and run for ~3.5 hours to generate 700 pairs of Order and Validation Codes.
It takes on average 18s for a Validation Code to be produced by web browser automation.
Selenium Automation used for initial Validation Code gathering
// CLI interface for user input Order Codes
scrape_code_to_CLI.py
// Script which loops from a configurable incremental Order Code
// for a configurable amount of times.
// (Was used to obtain the sample set used in cracking the Validation Code ciphers)
// "validation_code_sample_set.xlsx"
scrape_code_to_spreadsheet.py
Order Codes
After analysing Order Codes obtained from old HJ receipts, the Order Code can be decoded into:
Note that the original Order Code from the receipt does not have hyphens in the exact same places, they are used to make the separation clearer.
Validation Codes
Observing "validation_code_sample_set.xlsx", we can see that there seems to be a pattern between the Validation Codes. On closer inspection, we can see that although the Validation Codes themselves do not share a pattern, the Codes can be separated into pairs of digits that are part of a larger pattern.
Cipher
The pattern of each digit pair is below:
WIP