McDonald's Not Lovin' It When Hacker Exposes Nuggets of Rotten Security
A white-hat hacker known by the handle "Bobdahacker" has discovered a series of critical flaws in McDonald's staff and partner portals that have left the fast-food giant scrambling to fix security vulnerabilities. The hacker, who first noticed something was amiss when she found the McDonald's online delivery app only ran client-side security checks when looking up an account's credit points, with no server-side checking, allowing anyone to order free food.
"You could just set up an account for that and it worked, only for delivery orders," Bobdahacker told The Register. Bafflingly, McDonald's did not have a valid security.txt file – a document that defines the process an org suggests security researchers use to share news of vulnerabilities. This lack of transparency has led some to question the company's commitment to security.
A Series of Critical Flaws
Bobdahacker eventually got through to a security engineer who said that they were "too busy" to fix the flaw, until the hacker pointed out that anyone could get free food. That got the burger barn's attention, and it got it wrapped up. However, this lack of reporting proved to be a major problem with some of the more serious issues discovered later.
Bobdahacker eventually found McDonald's security staff on LinkedIn and contacted them directly to try and get these issues fixed. Intrigued, she decided to dig a little deeper and looked at the corporation's Feel-Good Design Hub, which holds marketing and promotional materials for McDonald's staff and ad agencies in 120 countries. Once again, security was scanty.
A Lack of Transparency
When she alerted the company, it took three months to fix the issue, and even then the solution was a few ingredients short of a Big Mac. While the company did set up proper logins, a little bit of URL customization – in this case changing "login" to "register" – allowed anyone to set up an account and the system then emailed the new user a password in plaintext.
An examination of the JavaScript in the Hub also showed that the MagicBell API key and Secret used for authentication was viewable, a security failing which could let an attacker see every user in the system and create all sorts of other mischief. She also examined the setup behind the Algolia search-as-a-service McDonald's uses.
More Security Issues Found
This gave access to the names and emails of anyone who had requested access to the site. It's not just staff getting a serving of poor security – McDonald's has staff portals that employees can sign into, but Bobdahacker found that lowly crew members could access the executive portals thanks to a faulty OAuth implementation.
The system also exposed supposedly secret corporate documents. She found that this would allow you to search for any employee, from the CEO down to individual store managers, and get their email addresses.
A Friend of a Friend Gets Fired
A friend working at McDonald's helped with the research, but was fired over "security concerns from corporate" after Bobdahacker informed McDonald's about the flaws. She has no idea how the fast food giant found her friend's identity.
Other Vulnerabilities Exposed
McDonald's isn't the only food business Bobdahacker has exposed as having substandard security. Casa Bonita, the Mexican restaurant that South Park creators Trey Parker and Matt Stone bought and featured in an episode, has leaked data like a colander.
The diner has a Founders Club for supporters that gives them access to promotional deals, special events, and early reservations. One problem – the members' details are stored in a database without admin authentication and open to anyone who knows the URL.
A Pattern of Poor Security
Bobdahacker easily set up an admin account that gave access to members' names, emails, and phone numbers, a record of what they ordered and when, and how much they spent – including how much they tipped. "I couldn't see payment information," she told us, but it's still a lot of very personal data.
A Security.txt File Still Missing
Bobdahacker wrote in her report, "Matt and Trey did an amazing job renovating the restaurant – the digital infrastructure deserves the same care." Once again there was no security.txt, but a friend of a friend got through to management and the issues are now sorted.
CosMc's Coffee Shop Brand Exposes Security Vulnerabilities
McDonald's is primarily a franchise operation, and a portal called Global Restaurant Standards contains material that defines rules for franchisees to follow. However, the portal was missing one crucial security feature – admin authorization.
In practice this meant that anyone could change material hosted on the site. The problems weren't just limited to McDonald's main site. In 2023 the company launched CosMc's, a coffee shop brand that also sells a few McDonald's food items.
A Coffee Shop Brand Exposes Security Vulnerabilities
The experiment lasted less than two years before the McMothership shut it down, but its IT security was just as bad as its parent's. Bobdahacker found a promotional membership coupon that gave free stuff to the recipient.
This turned out to be easy to reset and it was also possible to change the wording at will. The corporation now appears to have fixed all almost of these issues, although Bobdahacker told us the Feel-Good Design Hub had not been "properly secured for registrations," yet.
A Future Without Security.txt
She released details of her findings under responsible disclosure guidelines, but there's also still no security.txt file for others to use if researchers find more security problems. It seems likely they will. Only last month, researchers found that the AI chatbot McDonald's used to screen job applicants, dubbed Olivia, was pitifully easy to hack.
A Chatbot Hack Exposes Millions of Job Applicants' Data
Getting admin access to the bot, built by Paradox.ai, required a password – which turned out to be 123456. Flaw finders used that password and gained access to personal details of 64 million job applicants, including their names, email addresses, phone numbers, and physical addresses.
McDonald's Responds
Paradox apologized and set up a bug bounty program to spot further issues. We asked if McDonald's had anything to say about the security vulnerabilities exposed by Bobdahacker, but at the time of publication they had not delivered.