A sequence of alarming vulnerabilities in McDonald’s digital infrastructure, from free meals exploits to uncovered government knowledge.
What began as a easy app glitch developed right into a months-long trial, culminating within the researcher, BobDaHacker, cold-calling the corporate’s headquarters whereas mentioning safety workers he discovered on LinkedIn. The fixes had been carried out solely after extraordinary efforts to be heard.
It began innocently sufficient with the McDonald’s cell app. The researcher found that reward factors validation was dealt with client-side solely, permitting customers to say free objects like nuggets with out enough factors.
BobDaHacker makes an attempt to report this led to a software program engineer dismissing it as “too busy,” although the bug was patched days later, probably after the engineer investigated it himself.
He explored the depths of McDonald’s methods and found vulnerabilities within the Design Hub, a platform used for model property by groups in 120 international locations. This platform relied on a client-side password for cover.
After reporting this problem, the corporate undertook a three-month overhaul to implement correct logins for workers and companions. Nevertheless, a major flaw remained: by merely altering “login” to “register” within the URL, an open endpoint might be accessed.
The API additionally offered steerage to customers on any lacking fields, making account creation alarmingly simple. Much more regarding, passwords had been despatched by way of electronic mail in plaintext, an especially dangerous observe in 2025.
Subsequent assessments confirmed that the endpoint was nonetheless accessible, permitting unauthorized entry to confidential supplies supposed for inside use solely, BobDaHacker mentioned.
JavaScript recordsdata within the Design Hub revealed extra: uncovered Magicbell API keys and secrets and techniques allowed itemizing customers and sending phishing notifications by way of McDonald’s infrastructure. These had been rotated post-report. Algolia search indexes had been additionally listable, exposing private knowledge like names, emails, and entry requests.
Worker portals proved equally susceptible. Fundamental crew member accounts might entry TRT, a company device, to go looking international worker particulars, together with executives’ emails, and even use an “impersonation” characteristic.
The World Restaurant Requirements (GRS) panel lacked authentication for admin features, letting anybody inject HTML by way of APIs. To exhibit, the researcher briefly altered the homepage to “You’ve been Shreked” earlier than reverting it.
Additional points included misconfigured Stravito entry, exposing inside paperwork to low-level employees, and exploits in CosMc’s experimental restaurant app, reminiscent of limitless coupon redemptions and arbitrary order knowledge injection.
Final month a extreme safety vulnerability in McDonald’s AI-powered hiring uncovered 64 million job candidates’ private knowledge by weak safety utilizing password “123456.”
Within the aftermath, most vulnerabilities had been addressed, although some, just like the registration endpoint, could linger. Tragically, a collaborator was dismissed over associated “safety issues.” McDonald’s has but to ascertain a bug bounty program or dependable reporting mechanism.
The researcher presents recommendation: Preserve an up-to-date safety.txt, present direct safety contacts, and launch a bounty program to encourage moral disclosures. This episode underscores the perils of lax safety in international companies—and the lengths researchers go to guard them.
Safely detonate suspicious recordsdata to uncover threats, enrich your investigations, and lower incident response time. Begin with an ANYRUN sandbox trial →
