A white-hat hacker has discovered a series of critical flaws in McDonald’s staff and partner portals that allowed anyone to order free food online, get admin rights to the burger slinger’s marketing materials, and could allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing.
The hacker, who goes by “Bobdahacker”, first noticed something was awry when she found the McDonald’s online delivery app only ran client-side security checks when looking up an account’s credit points, with no server-side checking, allowing a Hamburglar to order food for free.
“You could just set up an account for that and it worked, only for delivery orders,” she told *The Register*.
Bafflingly, McDonald’s did not have a valid security.txt file – a document that defines the process an org suggests security researchers use to share news of vulnerabilities. Bobdahacker eventually got through to a security McEngineer who said that they were “too busy” to fix the flaw, until the hacker pointed out that anyone could get free food. That got the burger barn’s attention, and it got it wrapped up.
This lack of reporting proved to be a major problem with some of the more serious issues discovered later. Bobdahacker eventually found McDonald’s security staff on LinkedIn and contact them directly to try and get these issues fixed.
Intrigued, she decided to dig a little deeper and looked at the corporation’s Feel-Good Design Hub, which holds marketing and promotional materials for McDonald’s staff and ad agencies in 120 countries. Once again, security was scanty.
When she alerted the company, it took three months to fix the issue, and even then the solution was a ingredients short of a Big Mac. While the company did set up proper logins, a little bit of URL customization – in this case changing “login” to “register” – allowed anyone to set up an account and the system then emailed the new user a password in plaintext.
An examination of the JavaScript in the Hub also showed that the MagicBell API key and Secret used for authentication was viewable, a security failing which could let an attacker see every user in the system and create all sorts of other mischief.
She also examined the setup behind the Algolia search-as-a-service McDonald’s uses. This gave access to the names and emails of anyone who had requested access to the site.
### It’s not just staff getting a serving of poor security
McDonald’s has staff portals that employees can sign into, but Bobdahacker found that lowly crew members could access the executive portals thanks to a faulty OAuth implementation. The system also exposed supposedly secret corporate documents.
She found that this would allow you to search for any employee, from the CEO down to individual store managers, and get their email addresses. A friend working at McDonald’s helped with the research, but was fired over “security concerns from corporate” after Bobdahacker informed McDonald’s about the flaws. She has no idea how the fast food giant found her friend’s identity.
### Oh my god, they killed privacy
McDonald’s isn’t the only food business Bobdahacker has exposed as having substandard security.
Casa Bonita, the Mexican restaurant that South Park creators Trey Parker and Matt Stone bought and featured in an episode, has leaked data like a colander. The diner has a Founders Club for supporters that gives them access to promotional deals, special events, and early reservations.
One problem – the members’ details are stored in a database without admin authentication and open to anyone who knows the URL. Bobdahacker easily set up an admin account that gave access to members’ names, emails, and phone numbers, a record of what they ordered and when, and how much they spent – including how much they tipped.
“I couldn’t see payment information,” she told us, but it’s still a lot of very personal data. “Matt and Trey did an amazing job renovating the restaurant – the digital infrastructure deserves the same care,” she wrote in her report.
Once again there was no security.txt, but a friend of a friend got through to management and the issues are now sorted. Casa Bonita had no comment.
McDonald’s is primarily a franchise operation, and a portal called Global Restaurant Standards contains material that defines rules for franchisees to follow.
However the portal was missing one crucial security feature – admin authorization. In practice this meant that anyone could change material hosted on the site.
The problems weren’t just limited to McDonald’s main site. In 2023 the company launched CosMc’s, a coffee shop brand that also sells a few McDonald’s food items. The experiment lasted less than two years before the McMothership shut it down, but its IT security was just as bad as its parent’s.
Bobdahacker found a promotional membership coupon that gave free stuff to the recipient. This turned out to be easy to reset and it was also possible to change the wording at will.
The corporation now appears to have fixed all almost of these issues, although Bobdahacker told us the Feel-Good Design Hub had not been “properly secured for registrations,” yet. She released details of her findings under responsible disclosure guidelines, but there’s also still no security.txt file for others to use if researchers find more security problems.
It seems likely they will. Only last month, researchers found that the AI chatbot McDonald’s used to screen job applicants, dubbed Olivia, was pitifully easy to hack. Getting admin access to the bot, built by Paradox.ai, required a password – which turned out to be 123456.
Flaw finders used that password and gained access to personal details of 64 million job applicants, including their names, email addresses, phone numbers, and physical addresses. Paradox apologized and set up a bug bounty program to spot further issues.
We asked for tasty comments to go with this story. At the time of publication McDonald’s had not delivered. ®
**Get our** Tech Resources
Bobdahacker eventually found McDonald’s security staff on LinkedIn and contact them directly to try and get these issues fixed.
Intrigued, she decided to dig a little deeper and looked at the corporation’s Feel-Good Design Hub, which holds marketing and promotional materials for McDonald’s staff and ad agencies in 120 countries.
A friend working at McDonald’s helped with the research, but was fired over “security concerns from corporate” after Bobdahacker informed McDonald’s about the flaws.
In 2023 the company launched CosMc’s, a coffee shop brand that also sells a few McDonald’s food items.
Getting admin access to the bot, built by Paradox.ai, required a password – which turned out to be 123456.
A white-hat hacker has discovered a series of critical flaws in McDonald’s staff and partner portals that allowed anyone to order free food online, get admin rights to the burger slinger’s marketing materials, and could allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing.
The hacker, who goes by “Bobdahacker”, first noticed something was awry when she found the McDonald’s online delivery app only ran client-side security checks when looking up an account’s credit points, with no server-side checking, allowing a Hamburglar to order food for free.
“You could just set up an account for that and it worked, only for delivery orders,” she told The Register.
Bafflingly, McDonald’s did not have a valid security.txt file – a document that defines the process an org suggests security researchers use to share news of vulnerabilities. Bobdahacker eventually got through to a security McEngineer who said that they were “too busy” to fix the flaw, until the hacker pointed out that anyone could get free food. That got the burger barn’s attention, and it got it wrapped up.
This lack of reporting proved to be a major problem with some of the more serious issues discovered later. Bobdahacker eventually found McDonald’s security staff on LinkedIn and contact them directly to try and get these issues fixed.
Intrigued, she decided to dig a little deeper and looked at the corporation’s Feel-Good Design Hub, which holds marketing and promotional materials for McDonald’s staff and ad agencies in 120 countries. Once again, security was scanty.
When she alerted the company, it took three months to fix the issue, and even then the solution was a ingredients short of a Big Mac. While the company did set up proper logins, a little bit of URL customization – in this case changing “login” to “register” – allowed anyone to set up an account and the system then emailed the new user a password in plaintext.
An examination of the JavaScript in the Hub also showed that the MagicBell API key and Secret used for authentication was viewable, a security failing which could let an attacker see every user in the system and create all sorts of other mischief.
She also examined the setup behind the Algolia search-as-a-service McDonald’s uses. This gave access to the names and emails of anyone who had requested access to the site.
It’s not just staff getting a serving of poor security
McDonald’s has staff portals that employees can sign into, but Bobdahacker found that lowly crew members could access the executive portals thanks to a faulty OAuth implementation. The system also exposed supposedly secret corporate documents.
She found that this would allow you to search for any employee, from the CEO down to individual store managers, and get their email addresses. A friend working at McDonald’s helped with the research, but was fired over “security concerns from corporate” after Bobdahacker informed McDonald’s about the flaws. She has no idea how the fast food giant found her friend’s identity.
Oh my god, they killed privacy
McDonald’s isn’t the only food business Bobdahacker has exposed as having substandard security.
Casa Bonita, the Mexican restaurant that South Park creators Trey Parker and Matt Stone bought and featured in an episode, has leaked data like a colander. The diner has a Founders Club for supporters that gives them access to promotional deals, special events, and early reservations.
One problem – the members’ details are stored in a database without admin authentication and open to anyone who knows the URL. Bobdahacker easily set up an admin account that gave access to members’ names, emails, and phone numbers, a record of what they ordered and when, and how much they spent – including how much they tipped.
“I couldn’t see payment information,” she told us, but it’s still a lot of very personal data. “Matt and Trey did an amazing job renovating the restaurant – the digital infrastructure deserves the same care,” she wrote in her report.
Once again there was no security.txt, but a friend of a friend got through to management and the issues are now sorted. Casa Bonita had no comment.
McDonald’s is primarily a franchise operation, and a portal called Global Restaurant Standards contains material that defines rules for franchisees to follow.
However the portal was missing one crucial security feature – admin authorization. In practice this meant that anyone could change material hosted on the site.
The problems weren’t just limited to McDonald’s main site. In 2023 the company launched CosMc’s, a coffee shop brand that also sells a few McDonald’s food items. The experiment lasted less than two years before the McMothership shut it down, but its IT security was just as bad as its parent’s.
Bobdahacker found a promotional membership coupon that gave free stuff to the recipient. This turned out to be easy to reset and it was also possible to change the wording at will.
The corporation now appears to have fixed all almost of these issues, although Bobdahacker told us the Feel-Good Design Hub had not been “properly secured for registrations,” yet. She released details of her findings under responsible disclosure guidelines, but there’s also still no security.txt file for others to use if researchers find more security problems.
It seems likely they will. Only last month, researchers found that the AI chatbot McDonald’s used to screen job applicants, dubbed Olivia, was pitifully easy to hack. Getting admin access to the bot, built by Paradox.ai, required a password – which turned out to be 123456.
Flaw finders used that password and gained access to personal details of 64 million job applicants, including their names, email addresses, phone numbers, and physical addresses. Paradox apologized and set up a bug bounty program to spot further issues.
We asked for tasty comments to go with this story. At the time of publication McDonald’s had not delivered. ®
Get our Tech Resources
