The shocking state of ZPos: Order takeaway & pay what you like.
In July 2020, I ordered a takeaway from Napolis Pizza.
Like many firms across the UK, they use ZPos for their websites and electronic point of sale. A snazzy website, simple & easy to use ordering and minimal processing fees (compared to others in this space), it seems like a great deal for businesses and consumers alike.
However, it quickly became clear that far from the "super secure" service they promote, it's an absolute mess which only places their client - and subsequently you & I - at considerable risk.
Let's dive in.
Pay what you like!
In an act of sheer lunacy, ZPos sites allow the user to choose their own prices!
Simply edit the HTML, alter the price to whatever you like and place your order.
Here's the video showing how it's done.
But, being able to modify the price doesn't necessarily mean it'll go through...
Well, it worked. Order processed... now to collect it. Will they notice?
Napolis is a busy place with great food, so I didn't expect anyone to spot the dodgy order.
Sure enough, the food was ready & waiting with not a hint of a problem.
If I were dishonest, I could have easily walked out having paid half the actual price - but after 5 years and numerous attempts to raise it with ZPos, I'd had enough and decided to tell their client directly. After all, Napolis is a small local business and every penny matters.
They were clearly stunned to realise what had happened and despite offering full payment, they simply thanked me & escalated it with ZPos. ZPos promised to call me back the following day. More on that later.
5 years, many thousands of orders and any of them could have been altered without the shop's knowledge. It stands to reason ZPos didn't know either... just how lax is their quality assurance process?
I can excuse the idiotic design - bad developers are a blight on the industry. I can even excuse the odd security flaw.
What I can't excuse however, is virtually every flaw in the book whilst purportedly being a "super secure", security-conscious service.
The ToFu Attack
I wrote about this back in 2021.
In short, a ToFu - or "trust on first use" attack is possible when a website accepts registrations from unverified email addresses.
The risk isn't obvious, at first. Think of it like the web-based equivalent of a supply chain attack; the ability to embed malicious payloads into an account and leverage any existing (or future!) vulnerabilities.
This works because:
a) Most sites don't send confirmation emails after registration
b) Even if they do, the victim hasn't registered and assumes it's spam - ignoring it.
The attacker simply registers with the victim's email address, a random password and buries the malicious payload. If/when the victim comes to order, the site will report an existing account and offer to reset the password. Once they do, the payload is executed and the damage is done.
It might seem far fetched - but I carried out this attack on Dropbox Passwords... copying the victim's "recovery phrase" which doesn't (or rather didn't) change when the password reset. Every password, payment card, website URL - everything fell into my lap moments later.
Don't trust, verify.
Reflected & stored XSS
It appears ZPos has never heard of output encoding - as virtually every field is susceptible to an XSS attacks.
XSS or Cross-Site Scripting attacks allow an attacker to execute code in your browser; effectively taking control of the entire session and altering how the site works/looks.
During checkout, ZPos cheekily suggests your details are safe.
In reality, they've gone to greater lengths to place a meaningless trust mark than actually secure the service.
Here, I embed code which alters that trust mark to make it more accurate.
If this were a real attack, nothing would change visually... the attacker would slurp your data (including full payment card/CVV) and allow the order to proceed as normal.
I must remind you, it's been this way for 5 years.
If you've seen strange activity on your card after purchasing from any ZPos powered website, there's a chance you've been the victim of identity theft due to ZPos' poor security posture.
CSRF - Cross Site Request Forgery
A CSRF attack allows an attacker to remotely execute commands, completely without your knowledge.
Here, I change the user's password from a completely different website.
First, I changed the password field type to text - so you can see the information I've entered. As you know, passwords are normally hidden with ***** to preserve privacy.
Then, I login with my actual password, which works as expected. Then, visiting another website, the attacker changes the user's password.
Note: In this demo, the exploit is intentionally obvious to explain how it works. In reality, this would happen silently & invisibly to the user. No user action required - just browsing the web as usual. This is identical to the ASDA/Walmart attack from 2014.
When the user next tries to login, the password has been changed.
Like the ToFu attack earlier, the attacker is now able to login as the user - grabbing personal information, order history, telephone numbers, addresses and crucially, embedding a malicious payload to later grab the customer's payment info.
Again, all of this is transparent to the victim. You won't know the site has been manipulated - neither will ZPos - but I can guarantee, your payment details will either be used or sold shortly thereafter.
If it's days/weeks later, would you put two and two together? Probably not.
Set your own discounts!
In many ways, this is similar to setting your own pricing - but instead, setting your own "points" limit. This way, the price remains the same to the affected company and it simply appears the customer has valid points to use.
They're unlikely to spot the order anyway, as I mentioned earlier - but now with accurate prices, it's almost certain to fly under the radar.
No security headers, literally none.
This is one of the most basic (but most useful) security steps they could take, but don't.
No security policies, no reporting, no frame limitations... basically, anything goes.
Outdated Dependencies
Fixing bugs & applying security fixes should be an integral part of any business.
Sadly, ZPos is so antiquated, their entire ecosystem looks to be hanging by a thread. Their caller ID uses Visual Basic 6 - which went "end of life" in 2008! Not inherently insecure, but certainly legacy and decidedly crusty.
Passwords are reset to 6 "random" numbers
Even if you picked a reasonably safe & secure password, an attacker can reset it to 6 random numbers.
So, if our attacker (or rather their PC) can count to 1 million, every account is accessible in just a few minutes.
Another idiotic design choice.
Passwords emailed to the user
If the user subsequently changes their "reset" password (the above 6 digit number), ZPos used to email the entire password in plain text. Thankfully, they now redact all but the first & last character.
This is not only unnecessary, but significantly weakens the password.
If we compare this email with another password reset, can you spot the problem?
Not only is the length of the password leaked, but an attacker knows the first & last character.
Responsible disclosure
I contacted ZPos the day it started, way back in 2020.
After 5 days, I sent an email too... which they clearly received.
Again, no reply whatsoever.
4 years later, I tried again.
Still no response. 2 emails, 1 contact form submission (and auto reply) and several tweets, they clearly weren't interested.
Another year goes by, so I tried again.
At this point, it's clearly not a priority... which prompted my disclosure to their client, Napolis Pizza.
As you heard earlier, they promised to call back the following day. Willing to give them another chance to come good, I waited...
24hrs later, having had no phone call, I notified Napolis of my intention to publish and report to the ICO - my patience had finally expired.
Napolis then contacted ZPos again. At which point, I received an email...
Research projects take considerable time & effort - extending well beyond the initial findings. The ultimate goal is (and always is) to protect the end user - people like you and me - that use these sites daily and assume they're safe. The fastest route to resolution is nearly always contacting the firm directly.
If a company has shown willing to engage, I'll invest whatever time is necessary to assist. If they appear apathetic, the next logical step is to notify the public directly.
I replied...
By this point, I've already written this article and proofed it (cue someone spotting a typo I've missed), so the thought of spending yet more time to explain the situation is demoralizing... especially when they've only got in touch after their customer complained - twice.
To add insult to injury, they gave the typical "we take it seriously" nonsense... and say they want to address these issues "quickly and thoroughly". I'm not sure 5 years constitutes "quickly", but disclosure is rarely a quick & simple process... so against my better judgement, I agreed to a call.
That was last night. It's now 4PM the following day - no reply, no call and the sites are still live.
Final thoughts:
ZPos is remarkably similar to TiffinTom - another EPOS firm which had little regard for the user's security/privacy. Unlike ZPos, they at least replied - but disputed everything despite quietly trying to fix it. They closed shortly after.
I hope the same isn't true for ZPos - they have staff, families, mortgages etc. But, so do we. Having your identity stolen is a brutal & humbling experience; the impact from which is often felt for many years. Ask any TalkTalk victim.
Some may place blame with Napolis here - and whilst they could have paid to have it audited, how many small firms are in a position to do that? Instead, they understandably outsource & trust a supposed leader in this industry... and I can't find fault in that. Napolis were not only quick to respond, but actively chased ZPos when their concerns weren't actioned.
As I mentioned to Napolis' Director, these things happen. What matters is how you respond. Some go quiet, others go legal (ignoring the Streisand Effect entirely) and if they ignore valid concerns for long enough, some go under. That said, it's entirely possible to recover by putting policies and procedures in place to not only prevent future vulnerabilities, but engage with people trying improve your platform.
If you're affected, as a client of ZPos or customer of one of their clients, get in touch.