A Free Chicken Nugget Hack Helped Uncover Multiple McDonald's Cybersecurity Fails

McDonald's has once again hit the headlines with a series of cybersecurity fails, this time discovered by security researcher BobDaHacker. After alerting the company to the possibility of free chicken nuggets by taking advantage of its client-side only reward point validation system, only to be told by a software engineer they were "too busy" to take a report, the intrepid security expert decided to take a closer look at McDonald's cybersecurity overall—and came away with a litany of potential breach points.

First up was the McDonald's Feel-Good Design Hub, a central platform for brand assets and marketing materials (via Tom's Hardware). BobDaHacker reported to the company that its client-side password policy was a potential security risk, which McDonald's duly began working on over the next three months. However, after it was finished, BobDaHacker took a look at its new login system, only to discover that all they had to do was "change 'login' to 'register' in the URL" in order to sign up for an account.

The password Bob received was then emailed to them in plaintext, and after logging in they were able to access a large number of materials, some of which were marked "highly confidential and proprietary information." This discovery raises serious concerns about the security of McDonald's internal systems. Moreover, BobDaHacker also discovered that the company's Magicbell APR key was left viewable in the JavaScript, potentially allowing hackers to list every user in the system and send official-looking notifications to anyone on the list, which they claim could be used to "run a phishing campaign with McDonald's own infrastructure."

Perhaps most shocking was the level of access a McDonald's crew member could obtain with a basic account. BobDaHacker claims that not only could base-level access be used to read internal corporate documents and look up the personal emails of any McDonald's employee, from store managers to the CEO, but the GRS (Global Restaurant Standards) tool could be used to update any page content with HTML, via an API endpoint with no cookies.

BobDaHacker says they used this capability to display a large image of Shrek on the GRS homepage, before changing it back after a minute. The security researcher then attempted to use available security contact info to report all of these potential breach points, but found it was outdated, with no easy way to inform the company of its cybersecurity failings.

As a result, they resorted to calling McDonald's HQ, before being stymied by an automated phone system that required them to say the name of someone they wanted to be connected to. Undeterred, they began namedropping random security employees they'd discovered on LinkedIn, before eventually being called back with information on where to report the issues.

BobDaHacker now claims that most of the vulnerabilities have since been fixed, but McDonald's still hasn't established a proper security reporting channel, and the crew member who helped them research the employee authentication vulnerabilities was let go for "security concerns from corporate."

They still believe that some of the flagged tools might be accessible, and suggest that McDonald's should consider a bug bounty program to prevent further exploits. The discovery of serious security lapses in the McDonald's AI-based McHire platform, which until recently could be logged in to via an administrator account with the username and password "123456", also highlights the need for better security practices at the company.

All of this brings to mind the importance of cybersecurity awareness and responsible disclosure. While it's understandable that companies may not always have the resources or expertise to fix all potential vulnerabilities, they must do their best to prioritize their customers' and employees' safety. As for McDonald's, they should take a closer look at their internal systems and consider implementing more robust security measures.