A series of alarming vulnerabilities in McDonald\u2019s digital infrastructure, from free food exploits to exposed executive data.<\/p>\n
What started as a simple app glitch developed into a months-long trial, culminating in the researcher, BobDaHacker, cold-calling the company\u2019s headquarters while mentioning security employees he found on LinkedIn. The fixes were implemented only after extraordinary efforts to be heard.<\/p>\n
It all started innocently enough with the McDonald\u2019s mobile app. The researcher discovered that reward points validation was handled client-side only, allowing users to claim free items like nuggets without sufficient points.<\/p>\n
BobDaHacker attempts to report this led to a software engineer dismissing it as \u201ctoo busy,\u201d though the bug was patched days later, possibly after the engineer investigated it himself.<\/p>\n
He explored the depths of McDonald\u2019s systems and discovered vulnerabilities in the Design Hub, a platform used for brand assets by teams in 120 countries. This platform relied on a client-side password for protection.<\/p>\n
After reporting this issue, the company undertook a three-month overhaul to implement proper logins for employees and partners. However, a significant flaw remained: by simply changing \u201clogin\u201d to \u201cregister\u201d in the URL, an open endpoint could be accessed.<\/p>\n
The API also provided guidance to users on any missing fields, making account creation alarmingly easy. Even more concerning, passwords were sent via email in plaintext, an extremely risky practice in 2025.<\/p>\n