A free croissant sounds harmless. But when our favourite local coffee shop introduced a new loyalty app, our curiosity as pentesters kicked in.

This talk is a light-hearted but deeply practical look at how poor security design can hide in plain sight, even in something as innocuous as a mobile-based rewards app. We'll walk through how we uncovered design flaws in a loyalty system that relied on pressing a physical object against your screen to register points. No hard-core exploitation techniques were needed. Just a croissant, a caffeine fix, and a feeling that something wasn't quite brewed right.