https://www.itnews.com.au/news/melbourne-dev-finds-gift-card-pins-can-be-brute-forced-620022
A Melbourne software developer has discovered a serious vulnerability in gift cards sold at Australian supermarkets that allows attackers to easily guess PINs and steal stored funds by exploiting unprotected API endpoints on the card issuer’s website. Simon Dean uncovered the security flaw after purchasing two $500 gift cards from Woolworths that had their last four digits mysteriously scratched off, leading him to investigate The Card Network (TCN) website where he found multiple unprotected endpoints that enabled unlimited PIN entry attempts without any rate limiting or security controls.
Using a Python script and AI coding assistance, Dean successfully demonstrated the vulnerability by brute-forcing a four-digit PIN on a $20 test card within just 15 minutes, with only 10 minutes spent writing the script and five minutes cracking the PIN from the 10,000 possible combinations. The attack was possible because TCN’s website lacked basic security measures such as attempt limits, CAPTCHA verification, or account lockouts that would normally prevent automated brute-force attacks. Dean discovered that one of his original cards had been activated and funds stolen within hours of purchase, despite the protective film covering the PIN remaining intact, suggesting the vulnerability was already being exploited by malicious actors.
The disclosure process proved lengthy and cumbersome, with Dean waiting over a month for reimbursement of his stolen funds and receiving no bug bounty or reward for identifying the critical security flaw. Following Dean’s public YouTube video about the incident and subsequent media inquiries, TCN’s parent company Incomm confirmed the case and claimed to have resolved both Dean’s issue and the underlying security concerns. A banner appeared on TCN’s website stating that the option to swap physical cards for online use was temporarily unavailable, suggesting the company had disabled the vulnerable functionality while implementing fixes. The incident highlights broader security concerns with gift card systems, where the lack of registered user identities makes fraud investigation more complex while anonymous redemption mechanisms create opportunities for exploitation that could affect millions of gift card users across Australia.