- Researcher finds a free nugget utilization exposed much deeper deficiencies within McDonald’s systems
- McDonald’s apparently has no obvious path for scientists to report vulnerabilities
- A URL change from “Login” to “Register” assigned account access
What began as an attempt to demand free food through the McDonald’s app Rewards system turned into something far more revealing to an expert.
A security researcher known as “BobdaHacker” discovered serious weaknesses in McDonald’s online systems while trying to redeem a reward for free McNuggets through the company’s mobile app.
The error ran deep and gave access to the “Feel-Good Design-Home”, a central platform for marketing assets and fire materials used by employees and agencies in more than 120 countries.
Reporting Security Questions The Hard Way
Attempts to reveal these deficiencies highlighted another concern: McDonald’s had no clear path for scientists to report vulnerabilities -according to Bob, the company once had a “Security.txt” -Fillist contacts, but it disappeared only months after they were sent.
Without any direct revelation channel, Bob had to dig through LinkedIn for the staff’s names and repeatedly call the headquarters until someone finally answered.
This drafted process suggests that other scientists can give up long before their findings reach the right people.
Even after McDonald’s replaced his password system with an account -based login, another supervision remained.
By changing the “login” to “registering” in the URL, Bob was able to create new accounts with full access.
Worse, when you sign up, sent the system to ordinary passwords – a practice that has been discredited for decades due to the risks it creates for identity theft and abuse.
While companies in McDonald’s scale are facing unique challenges in rolling out secure systems, such basic failures are raising difficult questions about priorities.
This is not the first time McDonald’s has been subject to control of weak protective measures, as only a month earlier came another problem when a platform stored private data was protected by the password “123456.”
When deficiencies are repeatedly so easy to exploit, it raises doubts as to whether firewalls, security suites or even routine internal reviews are consistently used.
For a company of global reach, lapse of this kind has consequences in addition to marketing assets, as employee and customer information could be at stake.
McDonald’s allegedly fixed most of the vulnerabilities marked by Bob, but the company has not restored a reliable reporting channel for future revelations.
Without one, the risk remains that serious deficiencies will be overlooked or ignored until they are exploited.
Via Toms hardware
