- The researcher finds a free exploit of nuggets exposed to much deeper defects in McDonald’s systems
- McDonald’s apparently has no obvious path for researchers to report vulnerabilities
- A change of URL of “connection” to “register” granted access to the account
This started as an attempt to claim free food via the McDonald’s application system has turned into something much more revealing for an expert.
A safety researcher known as “Bobdahacker” has discovered serious weaknesses in McDonald’s online systems while trying to exchange a reward for free McNuggets via the company’s mobile application.
The flaw was deep, granting access to the “shrimp shrimp design hub”, a central platform for marketing assets and brand materials used by employees and agencies in more than 120 countries.
Report hard safety problems
The attempts to disclose these faults underlined another concern: McDonald’s had no clear path for researchers to report vulnerabilities – according to Bob, the company once had a file “Security.txt”, but it disappeared only a few months after being published.
Without direct disclosure channel, Bob had to dig via LinkedIn for staff names and repeatedly call the head office until someone finally responds.
This elaborate process suggests that other researchers can abandon long before their results reach good people.
Even after McDonald’s replaced its password system with an account -based connection, another surveillance has remained.
By modifying “connection” to “register” in the URL, Bob was able to create new accounts with full access.
Worse still, during registration, the system sent a gross text e -mail – a discredited practice for decades due to the risks it creates for identity theft and improper use.
While companies on the McDonald’s scale face unique challenges in the deployment of secure systems, these basic failures raise difficult questions about priorities.
This is not the first time that McDonald’s has faced a meticulous examination for weak guarantees, as a month earlier, another problem has been revealed when a platform storing private data was protected by the password “123456”.
When the faults are repeatedly so easy to exploit, this raises doubts as to whether the firewalls, the safety suites or even the internal routine reviews are applied in a consistent manner.
For a company with Global Reach, gaps of this type have consequences beyond marketing assets, because information from employees and customers could be at stake.
McDonald’s would have set most of the vulnerabilities reported by Bob, but the company has not restored a reliable reporting channel for future disclosure.
Without one, the risk remains that serious defects will be neglected or ignored up to exploits.
Via Toms equipment
