02-09-25, 05:15 PM
The story of how a hacker -enthusiast broke into McDonald's digital infrastructure for free nuggets turned into a large-scale security investigation that revealed dozens of vulnerabilities in the corporation's systems. A user nicknamed BobDaHacker published a detailed report on August 17, 2025, in which he described step by step how a trivial error in the bonus-accruing app allowed him to delve into much more serious problems.
The first flaw was simple: the mobile app did not check the number of bonus points on the server side, limiting itself to client-side validation. This meant that with minimal modification of the traffic, it was possible to receive food without accumulated points. After the researcher reported the bug, the problem was, in his opinion, closed, but the lack of serious attention from engineers prompted him to continue the analysis.
Further research led him to the internal Feel-Good Design Hub portal, used by McDonald's marketing teams in 120 countries. The site was protected only by a customer password, an outdated practice that offered no real protection. The company later implemented an authorization system, but it also had a loophole: simply replacing "login" with "register" in the URL opened a registration form.
After filling in the fields, the system issued a password in an unencrypted letter, which in itself is a critical violation of modern standards. The platform stored video materials marked as confidential, which could be accessed by anyone who had completed such “registration”.
BobDaHacker found public Magicbell API keys in the site's scripts, which allowed fake notifications to be sent on behalf of McDonald's infrastructure. This capability opened the way to phishing attacks. In addition, Algolia search indexes were available with personal data of people who requested access to internal systems, including their names, email addresses, and search history.
Particular attention was drawn to corporate portals, where the accounts of ordinary employees had access to resources intended for management. Thus, the TRT service allowed searching for information about any employee by ID or name, revealing personal email addresses. It also had an “impersonation” function, allowing data to be extracted on behalf of other users. And in the GRS tool for franchisees, BobDaHacker demonstrated the ability to change interface elements without authorization, which effectively gave full control over administrative functions.
Even the experimental restaurant project CosMc's was not properly protected: the promo code for new users could be activated an unlimited number of times. Moreover, the researcher found a way to embed arbitrary data into orders, which allowed them to interfere with their processing.
The biggest challenge came when trying to report the threats he found. The company once posted a security.txt file indicating a contact for such cases, but it was later removed. BobDaHacker eventually sought attention by calling headquarters and searching for employees on LinkedIn . Only after persistent attempts was he redirected to the right person. Although most of the holes were later patched, the process demonstrated McDonald's poor willingness to engage with researchers. In the process, the friend BobDaHacker used for the test lost his job.
This story shows that even giants with multimillion-dollar budgets are susceptible to critical blunders: client-side validation, cleartext passwords, unauthenticated admin functions. McDonald's still has neither a bug bounty program nor a transparent communication channel for responsible disclosure. This means that such loopholes can either remain unpatched or fall into the hands of far less conscientious hackers.
Source: https://www.securitylab.ru/news/562660.php
The first flaw was simple: the mobile app did not check the number of bonus points on the server side, limiting itself to client-side validation. This meant that with minimal modification of the traffic, it was possible to receive food without accumulated points. After the researcher reported the bug, the problem was, in his opinion, closed, but the lack of serious attention from engineers prompted him to continue the analysis.
Further research led him to the internal Feel-Good Design Hub portal, used by McDonald's marketing teams in 120 countries. The site was protected only by a customer password, an outdated practice that offered no real protection. The company later implemented an authorization system, but it also had a loophole: simply replacing "login" with "register" in the URL opened a registration form.
After filling in the fields, the system issued a password in an unencrypted letter, which in itself is a critical violation of modern standards. The platform stored video materials marked as confidential, which could be accessed by anyone who had completed such “registration”.
BobDaHacker found public Magicbell API keys in the site's scripts, which allowed fake notifications to be sent on behalf of McDonald's infrastructure. This capability opened the way to phishing attacks. In addition, Algolia search indexes were available with personal data of people who requested access to internal systems, including their names, email addresses, and search history.
Particular attention was drawn to corporate portals, where the accounts of ordinary employees had access to resources intended for management. Thus, the TRT service allowed searching for information about any employee by ID or name, revealing personal email addresses. It also had an “impersonation” function, allowing data to be extracted on behalf of other users. And in the GRS tool for franchisees, BobDaHacker demonstrated the ability to change interface elements without authorization, which effectively gave full control over administrative functions.
Even the experimental restaurant project CosMc's was not properly protected: the promo code for new users could be activated an unlimited number of times. Moreover, the researcher found a way to embed arbitrary data into orders, which allowed them to interfere with their processing.
The biggest challenge came when trying to report the threats he found. The company once posted a security.txt file indicating a contact for such cases, but it was later removed. BobDaHacker eventually sought attention by calling headquarters and searching for employees on LinkedIn . Only after persistent attempts was he redirected to the right person. Although most of the holes were later patched, the process demonstrated McDonald's poor willingness to engage with researchers. In the process, the friend BobDaHacker used for the test lost his job.
This story shows that even giants with multimillion-dollar budgets are susceptible to critical blunders: client-side validation, cleartext passwords, unauthenticated admin functions. McDonald's still has neither a bug bounty program nor a transparent communication channel for responsible disclosure. This means that such loopholes can either remain unpatched or fall into the hands of far less conscientious hackers.
Source: https://www.securitylab.ru/news/562660.php