A tasty Mc'Vulnerability

In a classic case of corporate security falling flat, a white-hat hacker, known as "Bobdahacker," uncovered a series of critical vulnerabilities within McDonald's digital infrastructure. These flaws not only compromised customer data but also exposed internal corporate portals, demonstrating a concerning lack of basic security practices.

Bobdahacker's investigation began with the McDonald's online delivery app, where she found a simple flaw that allowed her to order food for free. The app performed security checks on the user's credit points only on the client side, with no verification on the server. This simple oversight meant anyone could manipulate their credit balance to zero out their order. When she attempted to report the issue, she faced an even bigger problem: McDonald's had no security.txt file, a standard document for responsible vulnerability disclosure. After finally getting in touch with a security engineer who initially dismissed the issue, the free food vulnerability quickly caught the company's attention and was fixed.

The hacker's persistence led to more serious findings. She discovered major security gaps in the company's "Feel-Good Design Hub," a portal containing marketing materials for staff worldwide. After a three-month delay, McDonald's "fix" was a mess. The new login system allowed anyone to register for an account by simply changing a single word in the URL, and then the system would send passwords in plain text—a major security no-no. Further digging revealed a publicly viewable API key that could expose every user in the system.

The security failings weren't limited to external portals. Bobdahacker also found that employees could access executive portals due to a faulty security setup, exposing sensitive corporate documents and allowing her to search for any employee’s email address, from the CEO down. She worked with a friend at the company to verify some of the findings, but her friend was later fired, leaving the hacker to wonder how McDonald's discovered her identity.

McDonald's isn't the only food giant with questionable security. Bobdahacker also found glaring vulnerabilities at Casa Bonita, the iconic restaurant owned by the creators of South Park. The restaurant's "Founders Club" database was left completely exposed, allowing anyone with the URL to access a treasure trove of personal data, including members' names, emails, phone numbers, and purchase history.

These incidents highlight a critical lesson for any company with a digital footprint: strong security isn't an option, it's an absolute necessity. Ignoring security vulnerabilities can lead to significant data breaches and reputational damage. As the world becomes more reliant on digital services, companies must prioritise robust security protocols and establish clear, accessible channels for security researchers to report issues.