McDonald’s has once again made headlines for cybersecurity issues, with several vulnerabilities uncovered by the security researcher BobDaHacker. He exploited a flaw in their client-side reward point validation, which initially led to a potential free nugget success story but spiraled into revelations of major security faults.

After being brushed off by an engineer, BobDaHacker explored deeper into the cybersecurity framework of McDonald’s. His findings were alarming, highlighting issues such as a basic URL manipulation that revealed highly confidential materials.

Key Findings

BobDaHacker accessed the McDonald’s Feel-Good Design Hub, where he illustrated critical weaknesses stemming from the password policies McDonald’s had implemented. Following further investigation, even after rectifications, a simple change of ’login’ to ‘register’ in the URL allowed unauthorized access, resulting in the delivery of plaintext passwords via email.

Additional Vulnerabilities

• Magicbell API Key Exposure: Detected in JavaScript files, potentially enabling phishing campaigns utilizing McDonald’s infrastructure.
• Internal Document Access: A basic crew member’s access could facilitate viewing internal documents or even altering company website content.

Despite notifying McDonald’s about these vulnerabilities, his attempts to communicate with them through proper channels were thwarted by outdated contact information, prompting him to resort to calls to Headquarters.

It’s reported that most vulnerabilities have been addressed; however, a robust security report mechanism is still lacking. BobDaHacker advocates for a bug bounty program as crucial for fortifying McDonald’s cyber defenses.