Warning: Irresponsible Disclosure (mostly sarcasm)

So I may have accidentally hacked GNC, the supplement company in the mall. Not with a computer but by signing up for a Gold Card.

See, GNC has a membership called Gold Card that you pay 15 or 20 dollars per year for. It pays for itself after usually one trip with discounts, so it is worth it.

Well...when I signed up for Gold Card I did not want to give them my phone number but they insisted I give them a number so naturally, I made one up. The phone number I made up just happened to already exist in their system...

Everytime I go to GNC, I'm told some other guy has the same number as me and I am asked "Which guy are you?" I presume this guy is paying once and both of our gold cards are being credited.

It's been about three years and I have never once had to re-buy a gold card. The reason? I believe the phone collision caused it. Here's why.

Some programmer probably wrote a SQL query that is similar to the below SQL query when you re-purchase your GNC Gold Card.

UPDATE tbl_member set GoldStatus=1 where PhoneNumber=<my-fake-num>;

This ends up giving me Gold Card everytime the other guy renews his membership...and vice-versa.

I'm willing to bet many many memberships are vulnerable to this same attack. Programmers may expect a employee of their company to provide sane input while forgetting that the customer is always right.

ejj, March 2014