Hacker Takes to KFC in Bold Bid to Seize Cheap Chicken, Expose 'Very Bad Cybersecurity'

A hacker in Australia has come up with a unique method to bag delicious fried chicken from KFC at prices way lower than the official cost, exposing "very bad cybersecurity " at the company app.

Knewz.com has learned that the anonymous hacker shared his "hack" on the deal-fetching Australian website OzBargain.

A global conglomerate, KFC is a cornerstone of the fast-food industry with an average annual revenue of over $6 billion.

Despite the company offering special deals and discounts, users often turn to the OzBargain website in search of ways to save a bit of extra cash when buying fried chicken from the online outlets of the Colonel's franchise.

Posting the latest hack, the anonymous hacker – who goes by the name " AwesomeAndrew " online – wrote in his OzBargain post:

"Since the previous hacks stopped working, I started looking into new methods of getting cheap chicken. I noticed that the KFC app seems to only perform client side validation of whether your cart is valid (very bad cybersecurity), so I found a new method of getting the hack which works on the KFC website ordering."

"AwesomeAndrew" explained that his eight-step method involves "performing a replay attack on the add to cart request sent to the server," adding that the hack only works on computers and not handheld devices.

"But I believe that it might still be possible on the app due to lack of server side cart validation."

Notably, a lot of the posts on the OzBargain website focus on grabbing a good deal on KFC items. Since the website launched in 2006, there have been a total of 748 deals posted for KFC—including special offers launched by the company.

However, one of the first hacks posted on the site was in 2020, by a user named "drezy."

"Just wanted to post this hack in case people were interested. You can get 4x Pieces of Original Recipe Chicken or 5x Tenders for only $6.95 in the KFC App. Get in quick before they figure it out and remove it!" drezy wrote in his post at the time.

The handle "drezy" belongs to a 42-year-old office worker named Andre, and he told the Australian news outlet Crikey that he came across the hack accidentally while ordering a meal through the KFC app.

AwesomeAndrew, who posted the latest hack, said in a message on the OzBargain website that he feels hacks like this "should exist because they inform companies of the importance of having good cyber security."

"Big companies already make tons of profit, way too much in my opinion," he said in the message, via Crikey .

However, one of the users pointed out in his post that the hack borders on "unauthorised modification of data," which is considered a criminal activity.

"You are intentionally bypassing their security even though the security is obviously written by a first year computer grad as anyone else in the industry knows the very first computer lesson is never rely on client side validation," the user wrote.

"They are unlikely to come after you for this, but make no mistake it is most definitely a crime."

Crikey mentioned in their report that KFC has been on the receiving end of hackers' quest to exploit the system for cheaper meals for a while now, forcing the company to repeatedly fix vulnerabilities in their online system.

While these hacks might be aimed at trying to bag a meal at a cheaper price, KFC was the target of a significant and more serious cyberattack nearly a decade ago.

The 1.2 million members of the Colonel’s Club loyalty program in the United Kingdom received an email from KFC in December 2016, informing them that a hacker had breached the website and urging them to change their passwords.

"Our monitoring systems have found a small number of Colonel’s Club accounts may have been compromised as a result of our website being targeted... Whilst it is unlikely you have been impacted, we advise that you change your password as a precaution," the email read, per the news outlet The Next Web .

The outlet theorized at the time that the hackers could have gotten their hands on the list of email addresses and passwords of the members of the loyalty program, which would count as a significant data breach .