They weren't lovin' it: Hacker cracks McDonald's security in quest for free nuggets
A recent attempt by a security researcher to claim free food through the McDonald’s app rewards system turned into something far more revealing, exposing serious weaknesses in the company's online systems. BobDaHacker, a seasoned security expert, discovered multiple vulnerabilities in McDonald's mobile app and website, including access to sensitive marketing assets and brand materials.
The flaw was so significant that it granted Bob access to the "Feel-Good Design Hub," a central platform used by employees and agencies in over 120 countries. This raised concerns about the company's security posture and its ability to protect sensitive information.
Reporting security issues the hard way
Bob attempted to disclose these flaws through official channels, but was met with significant obstacles. According to Bob, McDonald’s once had a “security.txt” file listing contacts for researchers to report vulnerabilities, but it disappeared just months after being posted. Without a clear path for reporting, Bob had to dig through LinkedIn to find staff names and repeatedly call headquarters until someone finally responded.
This drawn-out process suggests that other researchers may give up long before their findings reach the right people. The lack of a direct disclosure channel raises questions about whether companies like McDonald's are doing enough to prioritize security and vulnerability reporting.
More vulnerabilities uncovered
Even after McDonald’s replaced its password system with an account-based login, another oversight remained. By altering “login” to “register” in the URL, Bob was able to create new accounts with full access. Worse still, when registering, the system emailed plain-text passwords - a practice discredited for decades due to the risks it creates for identity theft and misuse.
This basic failure raises difficult questions about priorities within the company. When flaws are repeatedly so easy to exploit, it raises doubts about whether firewalls, security suites, or even routine internal reviews are consistently applied.
Consequences beyond marketing assets
The vulnerabilities uncovered by Bob have consequences beyond marketing assets and brand materials. Employee and customer information could be at stake, particularly in a company with global reach like McDonald's. The lack of a reliable reporting channel for future disclosures means that serious flaws may be overlooked or ignored until exploited.
A call to action
McDonald’s reportedly fixed most of the vulnerabilities flagged by Bob, but the company has not reestablished a reliable reporting channel for future disclosures. Without one, the risk remains that serious flaws will be overlooked or ignored until exploited.
As technology continues to advance at an unprecedented rate, it is more important than ever that companies prioritize security and vulnerability reporting. This includes providing clear channels for researchers to report potential vulnerabilities and implementing robust security measures to protect sensitive information.
About the author
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics.
His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, Efosa is also focused on B2B security products. He can be contacted at [udinmwenefosa@gmail.com](mailto:udinmwenefosa@gmail.com).