A series of alarming vulnerabilities in McDonald’s digital infrastructure, from free food exploits to exposed executive data.
What started as a simple app glitch developed into a months-long trial, culminating in the researcher, BobDaHacker, cold-calling the company’s headquarters while mentioning security employees he found on LinkedIn. The fixes were implemented only after extraordinary efforts to be heard.
It all started innocently enough with the McDonald’s mobile app. The researcher discovered that reward points validation was handled client-side only, allowing users to claim free items like nuggets without sufficient points.
BobDaHacker attempts to report this led to a software engineer dismissing it as “too busy,” though the bug was patched days later, possibly after the engineer investigated it himself.
He explored the depths of McDonald’s systems and discovered vulnerabilities in the Design Hub, a platform used for brand assets by teams in 120 countries. This platform relied on a client-side password for protection.
After reporting this issue, the company undertook a three-month overhaul to implement proper logins for employees and partners. However, a significant flaw remained: by simply changing “login” to “register” in the URL, an open endpoint could be accessed.
The API also provided guidance to users on any missing fields, making account creation alarmingly easy. Even more concerning, passwords were sent via email in plaintext, an extremely risky practice in 2025.
Source: Cybersecurity New