This was posted 5 months 3 days ago, and might be an out-dated deal.

Related
  • expired

[Hack] 4 Pieces Original Chicken (or Hot & Spicy Where Available) $7.45 @ KFC (Desktop Browser Required)

2120
[Hack] 4 Pieces Original Chicken (or Hot & Spicy Where Available) $7.45 @ KFC (Desktop Browser Required)
Go to Deal
AwesomeAndrew on 01/07/2024 - 16:37 kfc.com.au (1707 clicks)
Last edited 01/07/2024 - 19:56 by 1 other user

Since the previous hacks stopped working, I started looking into new methods of getting cheap chicken. I noticed that the KFC app seems to only perform client side validation of whether your cart is valid (very bad cybersecurity), so I found a new method of getting the hack which works on the KFC website ordering. The method involves performing a replay attack on the add to cart request sent to the server. Unfortunately this method only works on PC, so it is not very convenient to use, but I believe that it might still be possible on the app due to lack of server side cart validation.

Steps:

  1. Open KFC website (https://www.kfc.com.au/menu/shared-meals/burger-feast)
  2. Add burger feast to cart (Other feasts might also work)
  3. Open browser developer tools (Ctrl + Shift + I), then go to the network tab
  4. Add the add on you want to cart
  5. In the developer tools, identify the network request that corresponds to adding the add on to cart (POST request, URL ends with /line-items)
  6. Go to cart and remove the feast, it will remove the add on as well. (Hint: do this in another tab so the developer tools does not get cluttered with extra network requests).
  7. Go back to browser developer tools and replay the request identified in step 5. (right click, then Resend in Firefox or Replay XHR in Chrome)
  8. Refresh the cart page and the add on should be in there.

See also alternative hack by ThristyCow, which does not use developer tools and can be performed on mobile:

  1. Open 2 tabs of the KFC site.
  2. On tab #1, add the Burger Feast to the cart and do not press anything when Add-ons menu appears.
  3. Switch to tab #2 and navigate to cart and remove the feast
  4. Switch to tab #1 and click Add to Order on the add-on you want.
Dining & Takeaway Fast Food Fried Chicken

Related Stores

KFC Australia
KFC Australia

closed Comments

  • CyberMurning on 01/07/2024 - 16:43
    +5

    wow, awesome, Andrew!

  • boretentsu on 01/07/2024 - 16:45
    +15

    Open browser developer tools

    Does it come with 30TB of free storage for 67 years as well? https://www.ozbargain.com.au/node/802407

  • sunaus on 01/07/2024 - 16:47

    Thanks

  • djmm on 01/07/2024 - 16:48
    +6

    Do you think they'll spit on the chicken?

    • vengeance88 on 01/07/2024 - 17:23
      +11

      Does Hawk Tuah work there?

      • lordra on 01/07/2024 - 23:05

        Of she does, I'm buying.

  • Skatez on 01/07/2024 - 16:51
    +3

    LMAO

    • smartazz104 on 02/07/2024 - 06:07
      +2

      Oh no Colonal Sanders will come after me.

    • CodeXD on 02/07/2024 - 08:25

      What law is it breaking?

      • gromit on 02/07/2024 - 08:59
        -2

        "unauthorised modification of data", it is considered a criminal activity, combined with obtaining advantage by deception. You are intentionally bypassing their security even though the security is obviously written by a first year computer grad as anyone else in the industry knows the very first computer lesson is never rely on client side validation. No They are unlikely to come after you for this, but make no mistake it is most definitely a crime.

  • freekay on 01/07/2024 - 16:59
    +17

    I've gone so far as to stop the KFC app from updating on my phone. So the last hack still works for me. Yes, I now have to manually update each one of my apps, but the love of the chicken keeps me going.

    • citybargainhunter on 01/07/2024 - 18:36
      +20

      Get a second phone and use this as the dedicated chicken phone.

    • askvictor on 01/07/2024 - 19:05
      +1

      Which version are you using?

    • noshopping on 01/07/2024 - 19:16
      +7

      share KFC APK file lol

    • CodeXD on 01/07/2024 - 19:55

      What version are you in?

    • flywing on 01/07/2024 - 21:36

      If you are on android:
      You can extract or download the old APK, clone it(many app or website can do that), then install the cloned APK.

    • lordra on 01/07/2024 - 23:05

      How do you get past the forced update?

    • freekay on 01/07/2024 - 23:30

      Looks like the jig is up for me as well. Dreaded forced update screen has hit my account :(

      • CyberMurning on 02/07/2024 - 08:44
        +1

        oh nooo
        we need a real hackers - they should work with us to hack kfc instead medibank optus etc

  • HolyCr4p on 01/07/2024 - 17:03
    +6

    Red roster's crispy chicken is still better than kfc soggy chicken

    • Saku-kurata on 02/07/2024 - 02:31

      Thats why I always get the hot and spicy ones ;) (im in qld)

      • YodaBaby on 03/07/2024 - 10:35

        I think it depends on store but I mostly find their hot & spicy dull as compared to their stores in Asia.

        • Saku-kurata on 03/07/2024 - 21:04

          100% agree looks like KFC added extra spices to suit local palate. The one in Indonesia has more spices flavour which I like

  • vorsprung on 01/07/2024 - 17:04
    +8

    I wouldn't do this, especially after giving detailed instructions on a public forum. When their app has a bug or glitch that you exploit, you could play dumb. When you're intentionally bypassing client side validation and replaying HTTP messages it's a bit more deliberate.

    I agree they shouldn't rely on client-side validation but that's beside the point.

    I'll probably get downvoted like the other nay-sayer…

    • askbargain on 01/07/2024 - 17:15
      +7

      Keep playing dumb?

      The people in store are teenagers who don’t have a CS degree.

      • CyberMurning on 02/07/2024 - 08:45

        but there must be some higher end managers who browsing ozb or even the CEO

    • Ghost47 on 01/07/2024 - 17:31
      +9

      If anything this is a good thing and will force KFC to implement better cybersecurity practices, something that is sorely needed in a lot of Australian organisations.

    • Binchicken22 on 01/07/2024 - 18:04
      +3

      Honestly what are they Gunna do… Yeah they'll probably shut it down and close the loophole now it's public, but ultimately they aren't going to take him to court over him getting slightly cheaper dirty bird.

    • cooni on 01/07/2024 - 18:57
      +6

      Yeah watch out they might throw you in jail for replaying a http request to add some chicken to your cart.

    • zubzub on 01/07/2024 - 18:59
      +1

      Lucky we no longer do capital punishment.

    • samuelalexmclean on 01/07/2024 - 21:39
      +14

      What's the charge, officer? Enjoying a meal?

      • freekay on 01/07/2024 - 22:17
        +9

        A succulent American meal..

        • melbourne guy on 01/07/2024 - 23:55
          +4

          Get your hands off my hot and crispy!

  • Ghost47 on 01/07/2024 - 17:07

    Nice work OP LOL. Now can you figure out a way to change the add on to be whatever you want it to be? Time to stick it to the Colonel.

  • ttkc on 01/07/2024 - 17:11
    +3

    Buy now regret later.

    • Nugs on 02/07/2024 - 10:16
      +1

      no ragrets
      .

      • Pilotwings77 on 02/07/2024 - 12:21

        Meet the Millers :'):')

  • cyrax83 on 01/07/2024 - 17:17

    Lol nice

  • CodeXD on 01/07/2024 - 17:22
    +3

    Nice got it to work.

    A tip for those on MS Edge

    Go to network tab first and 'stop' recording network log so it doesn't spam the log with data you do not want. Start recording just before you add the add-on then stop it afterwards.

  • dust on 01/07/2024 - 17:23
    +14

    Gerry was right. We really are professionals.

  • alvian on 01/07/2024 - 17:24

    Step 4. Add the add on you want to cart.

    How do you add 4 pieces of original chicken to the cart? The add-ons menu allows only burgers and twisters to be added.

  • Gdsamp on 01/07/2024 - 17:32
    -2

    Incredible

  • [Deactivated] on 01/07/2024 - 17:34

    6 pieces are $4 at Woollies, no bones my dog likes them.

    • UncleRico on 01/07/2024 - 21:21
      +1

      Stop eating dogfood, Bendy!

  • yuisakas on 01/07/2024 - 17:55
    -2

    Coles has lowered the Steggles Chicken Wings for $9.9,they are more juicy than KFC pieces and thats the best case if the kids not overcooked your chicken,only if you dont have microwave or air fryer,this "hack"might be ok,by the way KFC chicken are made and marinated by Baiada(Steggles) anyway

  • Zitane on 01/07/2024 - 18:17

    this is awesome, andrew.

  • ThirstyCow on 01/07/2024 - 18:18
    +61

    There is a alternative method to do this also in web browsers which doesnt involve the developer tools and it works on phone as well.
    1. Open 2 tabs of the KFC site.
    2. On tab #1, add the Burger Feast to the cart and do not press anything when Add-ons menu appears.
    3. Switch to tab #2 and navigate to cart and remove the feast
    4. Switch to tab #1 and click Add to Order on the add-on you want.

    You should then have the addon only in the cart and can checkout as usual.

    Nice to see people innovating for a bargain.

    • Lit Homie on 01/07/2024 - 23:08
      +1

      Incredible it works

    • freekay on 01/07/2024 - 23:36
      +1

      This needs its own post IMO

    • Saku-kurata on 02/07/2024 - 02:37
      +4

      Awesome hack!! IMO Should have kept it secret until the other hack patched first :D

      • AwesomeAndrew on 02/07/2024 - 12:21
        +1

        I guess this method exploits a race condition in the case of 2 tabs, so it is slightly different, but if they patch it properly by doing server side cart validation then the hacking will be over for good.

        • lilfatbum on 02/07/2024 - 19:09

          ThirstyCow knows his shit

        • gromit on 03/07/2024 - 08:20
          +1

          kinda but not really, race condition is something else. This basically is just utilising shared data (cookies) on the client side and the scripts have poor validation through cross session data access. Race conditions are when 2 threads try to change the data at the same time.

    • Rick James18 on 03/07/2024 - 20:41
      +1

      You crazy ducking basterd, you did it!!!

  • Homr on 01/07/2024 - 18:49

    wait what? so the app hack doesn't work anymore??

  • Homr on 01/07/2024 - 18:52
    -2

    I noticed that the KFC app seems to only perform client side validation of whether your cart is valid (very bad cybersecurity), so I found a new method of getting the hack which works on the KFC website ordering.

    How does one get to learn this? Did you like a Computer Science or Web Developer degree or something??

    • AwesomeAndrew on 01/07/2024 - 19:53
      +3

      Self taught. Learned web development (front end and back end) from w3schools.

  • ipiok on 01/07/2024 - 19:04
    -5

    Will KFC ever get with the times and allow you to use the app in the drive through. I don’t want to order to then have to get out and go in the shop

    • ausmisc on 01/07/2024 - 19:14

      I've been using the app to order drive though for years

    • askvictor on 01/07/2024 - 19:53

      Wat? I pick up app orders at the drive through all the time

    • CodeXD on 01/07/2024 - 19:57

      When you order on the app, you can literally pick 'in store' or 'drive thru'

    • brianmau on 01/07/2024 - 20:18
      +1

      If you happen to have one of the online feedback voucher code for a 600ml soft drink (now it's an email with a code), choose pickup at drive thru. When you're at the speakerphone, tell them your order number, also tell them you want to redeem a free drink from the feedback page. Show them your phone screen with the email on it (they don't really read it anyway) and you can reuse the same voucher again again and again. Been working since they have this online voucher code thing earlier this year. YMMV.

    • smartazz104 on 02/07/2024 - 06:08
      +1

      Oh dear…

    • melbourne guy on 03/07/2024 - 11:58

      Are you confusing KFC with Red Rooster?

  • MeagerDollarBucks on 01/07/2024 - 19:33
    +4

    I just want some cheap chicken, not learn how to code the Mars Rover! /s

  • ilovefullprice on 01/07/2024 - 19:42

    Thanks OP

  • montorola on 01/07/2024 - 19:54

    Lol this one is literally a hack! Nice

  • gregorian on 01/07/2024 - 20:04

    Can I schedule the order for pick up to be tomorrow?

    • CodeXD on 01/07/2024 - 20:20
      +1

      why not just order it tomorrow?

  • bcYield on 01/07/2024 - 20:04

    Next level OzBers…. One-step closer to scammers (but who mind birds back)

  • puppetmaster on 01/07/2024 - 21:16

    Shut up and take my upvote!

  • MrMaestro on 01/07/2024 - 21:29
    +3

    KFC Australia trying to respond to thousands of OzBargainers skimming discount chicken:
    https://youtu.be/msX4oAXpvUE?si=gMmUOF20kwJdGxwc

  • AkuroPlays on 01/07/2024 - 22:13

    LOL good find

  • AkuroPlays on 01/07/2024 - 22:16
    +2

    Time to bring a laptop with me when i go through drive-thru…

    • CodeXD on 01/07/2024 - 22:21
      +2

      alternative hack works with phone browser

  • kaleidoscope on 02/07/2024 - 00:02
    +3

    For not making H&S available in VIC they 1000% deserve this abuse of service.

  • MEGASERVE on 02/07/2024 - 00:14
    -6

    Or save yourself $7.45 and a heart attack

  • kalupet on 02/07/2024 - 06:50

    Someone from KFC might be a member kfc OzBargain

  • hardya on 02/07/2024 - 09:00
    +2

    Some IT boffins (uni students) in Kentucky Fried Chicken National Headquarters (filthy storeroom at the back of their Guildford store) scrambling to recode their website.

Login or Join to leave a comment
Login Join