Students from IIIT, Hyderabad (India) recently discovered a bug that allowed them to order food from FoodPanda — a Rocket Internet company that also operates in Pakistan — without paying for it.
As you might have guessed, it didn’t take long for the news of the bug to spread across campus. Students managed to rack up orders worth 6 lakh rupees before foodpanda wised up and shut down the site in the city.
Here is how it worked. Students ordered the food and used a coupon code which was only allowed for some users. When the time came for payment, they chose PayU Money which is popular amongst students since it offers a few additional discounts. Before they hit purchase, a confirmation message arrived that signaled their food was on its way.
The issue was highlighted by Brthe.co, the makers of a Chrome extension that suggests coupons to use for getting discounts on food. According to a post on their blog,
It was the evening of April 8th, we noticed our chrome extension getting abnormally large traffic. When we checked on this, the news about the bug was spreading through IIIT hostels like wild fire. Each person went on to fulfill their food fantasies. After all free food does taste better.
The fanciest desserts from Baskin Robins and the largest pizzas were from Papa John’s were ordered. Delivery boys queued up outside the campus for hours after the gates closed. According to the students, orders worth over 6 lakhs were placed.
In the wake of the event, foodpanda shut down service in the city and later in the area where IIIT was located. The Indian startup community was outraged at how the bug was exploited and after hearing recruiters were reconsidering whether they wanted to pick students from the university, a student representative stated that money was being collected and foodpanda would get what they were owed.