I Hacked McDonald's (Security Contact Was Harder to Find Than Secret Recipe)
4 days ago
- #vulnerabilities
- #McDonalds
- #security
- Discovered a vulnerability in the McDonald's app allowing free food due to lack of server-side validation.
- Reported the issue but faced delays; the bug was eventually fixed.
- Found McDonald's Design Hub had client-side password protection and an open registration endpoint.
- Design Hub emailed passwords in plaintext and exposed API keys in JavaScript.
- Algolia indexes exposed personal information of users requesting access to McDonald's systems.
- Crew members could access executive systems and impersonate employees via TRT portal.
- GRS panel had no authentication, allowing unauthorized content changes.
- Internal documents were accessible due to Stravito misconfiguration.
- CosMc's had vulnerabilities like unlimited coupon use and order data injection.
- McDonald's lacked a proper security reporting channel; had to cold-call HQ to report issues.
- Most vulnerabilities were fixed, but reporting friend was let go, and some issues may remain.
- Suggested improvements: maintain security.txt, establish a security contact, and start a bug bounty program.