After my previous complaint (refer http://faizhasim.com/yet-another-complain-on-plaintext-password/), Pizza Hut representative contacted my via Twitter and silently address this issue. They never replied my email though.
Well, their "solution" never fix the problem. Their system will still send plain text password whenever you reset them. However, instead of sending your forgotten password, they will regenerate a new randomly-generated password, like UBN4MT8H.
The only thing that I get is the ability to change my password, that’s all.
Sometimes, I don’t get it why some businesses didn’t have the emphathy for their customers. They also put their own business to risk! For example, in this case, an attacker could have just perform a dictionary attack to Pizza Hut Delivery, by requesting
Forgot Password call for different email addresses. Their system will then change the actual user password and cause grievance to the customers, which will turn them into angry customers, then ultimately kill their business. Angry customers for a business that’s heavily depends on average joes to buy their pizzas? That won’t go well.