From plain-text passwords in its global marketing hub to faulty OAuth in executive portals, McDonald’s security left wide gaps.
McDonald’s is definitely not lovin’ it. A white-hat hacker uncovered critical flaws across the burger giant’s employee and partner systems. The vulnerabilities let intruders order free food, gain admin rights to marketing platforms, and dig into corporate portals.
McDonald’s fixed most issues, but the company still lacks a proper security reporting channel.Free nuggets, leaky loginsThe researcher, who goes by “BobDaHacker,” first spotted trouble in McDonald’s delivery app. The app only ran client-side checks when looking up loyalty points, with no server-side protection. That allowed free food orders.“You could just set up an account for that and it worked, only for delivery orders,” she told The Register.Reporting the flaws wasn’t easy. McDonald’s had no valid security.txt file. Bob eventually reached staff by repeatedly calling HQ and dropping random names of security employees she found on LinkedIn. “The HQ hotline just asks you to say the name of the person you want to be connected to,” she said.She then turned her attention to the Feel-Good Design Hub, McDonald’s global platform for marketing assets. At first it was only “protected” by a client-side password.“After I reported this, they took 3 months to implement a proper account system … Except there was still an issue. All I had to do was change ‘login’ to ‘register’ in the URL,” Bob said.The system sent passwords in plain text, and exposed API keys in JavaScript, giving attackers even more leverage. She also discovered Algolia search data leaks that exposed names and emails of those requesting access.The slow response frustrated her. McDonald’s patched some problems quickly when free food was at risk but took months on others. Even then, fixes often fell short, leaving easy ways back in.Corporate secrets on the menuMcDonald’s internal portals proved just as shaky. A faulty OAuth setup let ordinary crew members access executive areas and sensitive documents.Bob said she could look up any employee, from the CEO down, and see their email addresses.Her McDonald’s research partner lost their job over “security concerns from corporate,” though Bob said she did not know how the company traced the person.The Global Restaurant Standards portal, used by franchisees, lacked admin authorization. That flaw meant anyone could edit materials there. At CosMc’s, the now-closed coffee chain, she found coupons could be reset or rewritten at will.Bob says McDonald’s fixed most flaws but the Feel-Good Design Hub remains improperly secured. She also discovered the company removed its security.txt file just two months after creating it. “I only found it through the Wayback Machine,” she said.The issues don’t end there. Last month, researchers revealed McDonald’s AI hiring bot Olivia was protected by a single password: “123456.” Attackers accessed details of 64 million job applicants.Despite repeated disclosures, McDonald’s still has no permanent security contact. That leaves researchers struggling to report problems before attackers exploit them.
Data Breach Feel-Good Design Hub Free Food Hack Hacking Mcdonald's White Hat Hacker
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Fiberglass-Free, Chemical-Free: Natural Fire Barriers for MattressesWhen it comes to flame retardants, fiberglass is unhealthy, but many chemicals are worse. Here’s what you need to know about buying a safe new mattress.
Read more »
Paramount-Skydance Deal Subverts Free Speech and the Free Press in AmericaNewswire Editor is a Common Dreams staff position.
Read more »
Sol de Janeiro Sundays in Rio Perfume Mist Review 2025Key Notes: Warm vanilla, pink pepper, amber muskHighlights: Layerable, free of phthalates, cruelty-free
Read more »
Free day at History Colorado — and more free and cheap things to doColorado Ski Country USA’s popular Kids’ Ski Passport is also available again.
Read more »
Free, ad-supported streaming platform Roku launches $2.99 per month ad-free streaming serviceRoku aims to offer a cheaper option to expensive streaming competitors with a library of 'comfort' watches and Roku originals.
Read more »
Sweet Impastries: new Gilbert gluten-free bakery with vegan and dairy-free optionsNicole Gutierrez is one of ABC15's Things to Do reporters, focusing on stories highlighting local community gems, family attractions, restaurants and local haunts.
Read more »