Last week, Andrew excitedly posted on OzBargain that he had success “looking into new methods of getting cheap chicken”.
In a post titled [Hack] 4 Pieces Original Chicken (or Hot & Spicy Where Available) $7.45 @ KFC (Desktop Browser Required), Andrew — or AwesomeAndrew as he’s known there — wrote on the Australian deals website that KFC’s “very bad cybersecurity” presented an opportunity.
“The method involves performing a replay attack on the add to cart request sent to the server. Unfortunately this method only works on PC, so it is not very convenient to use, but I believe that it might still be possible on the app due to lack of server side cart validation,” Andrew explained.
If this doesn’t make sense to you, don’t worry. All you need to understand is that Andrew provided an eight-step process (involving using obscure web browser developer tools) that showed how to buy some fried chicken for roughly half its normal price.
Andrew’s exploit is the latest move in a cat-and-mouse game between deal-hungry OzBargain users searching for a way to save cash, and KFC, which has been forced to repeatedly patch exploits and vulnerabilities letting people buy food for cheaper than intended.
OzBargain users have long feasted on companies’ errors in their pursuit of a good deal. In 2012, 300 people from OzBargain bought a tablet during the Harvey Norman Boxing Day sale that was priced at $122 rather than $600. Gerry Harvey lashed out, calling the purchases the “work of professionals not everyday consumers”.
KFC is one of the most popular brands for deals on the site. There have been at least 748 deals posted for KFC since OzBargain launched in 2006. Many of these deals are sanctioned — there’s a dedicated page on OzBargain’s website for KFC’s July Daily Deals promoted by the fast food outlet — but some are not. And creative bargain hunters are increasingly pushing the limits to obtain cut-price poultry in ways the Colonel never intended.
OzBargain founder Scott Yang said that fast food deals are some of the site’s most popular because people need to eat and want to do so cheaply.
“Seriously, I have no idea how much time people took to find these hacks,” he marvelled in an email to Crikey.
Andrew said he doesn’t have a lot of money and that he likes to eat at KFC because there’s one close to his university campus.
“Big companies already make tons of profit, way too much in my opinion,” he said in a message on OzBargain, before adding that there was a silver lining for the company: “I feel like they should exist because they inform companies of the importance of having good cyber security.”
Andrew admitted that he stands on the shoulders of giants. His KFC exploit was based on a previous hack which, he said, was fixed on the surface but the root cause of which was left unaddressed.
It started fairly simple. In 2020, user drezy posted that you could get reduced-price pieces of chicken through the KFC app by adding them as sides to a meal and then removing the meal. “Get in quick before they figure it out and remove it!” he posted.
drezy, who is a 42-year-old office worker named Andre, told Crikey that he accidentally discovered the hack while ordering a meal and wanted to share it with the OzBargain community.
He said he’s watched the hacks become more sophisticated since then.
“Since the popularity of my deal / hack, I believe others have now decided to play around / find more hacks on the KFC app or other fast food apps to share with the community, as we all love a good deal,” Andre said in a message.
KFC, which did not respond to a request for comment, has spent years playing whack-a-mole as it seeks to shut down these unauthorised bargains.
But users are finding ways to keep the good times going despite KFC’s crackdowns. Sometimes KFC fixes the bargain loophole on Apple but not Android devices. Other users refuse to update their app, finding that older versions allow them to still access the deals. People say they change their location to a different state to fool the app into giving them cheaper food. Each time, OzBargain users look for a little gap or mistake that might give them an in.
When one deal was stopped in 2023, user freekay commisserated its ending in a post.
“In a sad day for all OzBargainers I’m sorry to report that the 4pc chicken hack has been patched,” they wrote.
Some of the site’s users think the company is probably keeping an eye on OzBargain: “I more suspect there are kfc HO [head office] employees that lurk amongst us, that will be alerted to this loophole and shut it down by tomorrow I predict. Such a shame I did enjoy it,” user shkippy said on one deal.
According to Ken, who posted an alternative and easier method based on Andrew’s hack under his bargain nom de plume ThirstyCow earlier this week, the hunt for KFC deals represents something bigger than just saving money.
“It sort of represents the will of the people … Personally, I find the very thought of the lengths people will go to save money [on] KFC pretty amusing,” he said.