How a Student Exploited KFC’s App to Earn 58,000 ¥ – A Security Case Study

A 1998‑born university student from Jiangsu discovered two synchronization vulnerabilities in the KFC app in 2018.

By placing an order with a prepaid combo voucher, abandoning payment, refunding the voucher via WeChat, and then canceling the order, he could obtain a fresh voucher – essentially a "free‑hand" acquisition.

1. Use the combo voucher to place an order, pause before payment, refund the voucher in WeChat, cancel the order in the app, then request a new voucher – effectively obtaining a voucher without cost.

2. Use the voucher to place an order, refund the voucher in WeChat, then pay with the same voucher in the app, successfully completing payment and receiving a meal code – effectively getting a free meal.

The KFC system failed to synchronize data between its app and WeChat, allowing the student to repeatedly exploit the flaw. By October of the same year, he had accumulated over 58,000 yuan in free meals and vouchers.

He did not consume all the meals himself; instead, he sold the illicit vouchers and meals at low prices through online trading platforms, profiting from the transactions.

He also taught the method to four classmates, who each earned between 8,900 yuan and 47,000 yuan using the same technique.

After the parent company Yum! Brands reported the issue, police arrested the student. The Shanghai Xuhui Court tried the case, classifying the conduct as fraud rather than a system malfunction, emphasizing the deceptive nature of the actions.

Ultimately, the student and his four accomplices were sentenced to prison terms ranging from one year and three months to two years and six months, and fined between 1,000 yuan and 4,000 yuan each.