McDonald’s has once again hit the headlines with a series of cybersecurity fails, this time discovered by security researcher BobDaHacker. After alerting the company to the possibility of free chicken nuggets by taking advantage of its client-side only reward point validation system, only to be told by a software engineer they were “too busy” to take a report, the intrepid security expert decided to take a closer look at McDonald’s cybersecurity overall—and came away with a litany of potential breach points.
First up was the McDonald’s Feel-Good Design Hub, a central platform for brand assets and marketing materials (via Tom’s Hardware). BobDaHacker reported to the company that its client-side password policy was a potential security risk, which McDonald’s duly began working on over the next three months.
However, after it was finished, BobDaHacker took a look at its new login system, only to discover that all they had to do was “change ‘login’ to ‘register’ in the URL” in order to sign up for an account. The password Bob received was then emailed to them in plaintext, and after logging in they were able to access a large number of materials, some of which were marked “highly confidential and proprietary information.”
BobDaHacker also discovered that the company’s Magicbell APR key was left viewable in the JavaScript, potentially allowing hackers to list every user in the system and send official-looking notifications to anyone on the list, which they claim could be used to “run a phishing campaign with McDonald’s own infrastructure.” They duly notified the company, which has since removed and rotated the keys.
Perhaps most shocking was the level of access a McDonald’s crew member could obtain with a basic account. BobDaHacker claims that not only could base-level access be used to read internal corporate documents and look up the personal emails of any McDonald’s employee, from store managers to the CEO, but the GRS (Global Restaurant Standards) tool could be used to update any page content with HTML, via an API endpoint with no cookies.
BobDaHacker says they used this capability to display a large image of Shrek on the GRS homepage, before changing it back after a minute. Well, Shrek is an onion fan after all, and McDonald’s must get through millions of them.
The security researcher then attempted to use available security contact info to report all of these potential breach points, but found it was outdated, with no easy way to inform the company of its cybersecurity failings. As a result, they resorted to calling McDonald’s HQ, before being stymied by an automated phone system that required them to say the name of someone they wanted to be connected to.
Undetterred, they began namedropping random security employees they’d discovered on LinkedIn, before eventually being called back with information on where to report the issues.
BobDaHacker now claims that most of the vulnerabilities have since been fixed, but McDonald’s still hasn’t established a proper security reporting channel, and the crew member who helped them research the employee authentication vulnerabilities was let go for “security concerns from corporate.” They still believe that some of the flagged tools might be accessible, and suggest that McDonald’s should consider a bug bounty program to prevent further exploits.
All of which brings to mind the discovery of serious security lapses in the McDonald’s AI-based McHire platform, which until recently could be logged in to via an administrator account with the username and password “123456”. It appears McDonald’s security practices could do with an update, although on a personal note, I reckon they should keep some of their menu items just the way they are.
I’m particularly partial to a quarter pounder, although I think I’ll be leaving the login-based reward points scheme alone for now.
Best PC build 2025