A series of alarming vulnerabilities in McDonald’s digital infrastructure, from free food exploits to exposed executive data.
What started as a simple app glitch developed into a months-long trial, culminating in the researcher, BobDaHacker, cold-calling the company’s headquarters while mentioning security employees he found on LinkedIn. The fixes were implemented only after extraordinary efforts to be heard.
It all started innocently enough with the McDonald’s mobile app. The researcher discovered that reward points validation was handled client-side only, allowing users to claim free items like nuggets without sufficient points.
BobDaHacker attempts to report this led to a software engineer dismissing it as “too busy,” though the bug was patched days later, possibly after the engineer investigated it himself.
He explored the depths of McDonald’s systems and discovered vulnerabilities in the Design Hub, a platform used for brand assets by teams in 120 countries. This platform relied on a client-side password for protection.
After reporting this issue, the company undertook a three-month overhaul to implement proper logins for employees and partners. However, a significant flaw remained: by simply changing “login” to “register” in the URL, an open endpoint could be accessed.
The API also provided guidance to users on any missing fields, making account creation alarmingly easy. Even more concerning, passwords were sent via email in plaintext, an extremely risky practice in 2025.
Subsequent tests confirmed that the endpoint was still accessible, allowing unauthorized access to confidential materials intended for internal use only, BobDaHacker said.
JavaScript files in the Design Hub revealed more: exposed Magicbell API keys and secrets allowed listing users and sending phishing notifications via McDonald’s infrastructure. These were rotated post-report. Algolia search indexes were also listable, exposing personal data like names, emails, and access requests.
Employee portals proved equally vulnerable. Basic crew member accounts could access TRT, a corporate tool, to search global employee details, including executives’ emails, and even use an “impersonation” feature.
The Global Restaurant Standards (GRS) panel lacked authentication for admin functions, letting anyone inject HTML via APIs. To demonstrate, the researcher briefly altered the homepage to “You’ve been Shreked” before reverting it.
Further issues included misconfigured Stravito access, exposing internal documents to low-level staff, and exploits in CosMc’s experimental restaurant app, such as unlimited coupon redemptions and arbitrary order data injection.
Last month a severe security vulnerability in McDonald’s AI-powered hiring exposed 64 million job applicants’ personal data through weak security using password “123456.”
In the aftermath, most vulnerabilities were addressed, though some, like the registration endpoint, may linger. Tragically, a collaborator was dismissed over related “security concerns.” McDonald’s has yet to establish a bug bounty program or reliable reporting mechanism.
The researcher offers advice: Maintain an up-to-date security.txt, provide direct security contacts, and launch a bounty program to encourage ethical disclosures. This episode underscores the perils of lax security in global corporations—and the lengths researchers go to protect them.
Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial →
Source link
