- The researcher finds an exploitation of free pepitas exposed to much deeper failures within McDonald’s Systems
- Apparently, McDonald’s does not have an obvious path for researchers to denounce vulnerabilities
- A “logging in” URL change to “register” access to the account awarded
What began as an attempt to claim free food through the McDonald’s application rewards system became much more revealing for an expert.
A security researcher known as “Bobdahacker” discovered serious weaknesses in McDonald’s online systems while trying to redeem a free McNugget reward through the company’s mobile application.
The defect was deepened, giving access to the “Welcome Design Center”, a central platform for marketing assets and brand materials used by employees and agencies in more than 120 countries.
Inform security problems in the difficult way
Attempts to reveal these defects highlighted another concern: McDonald’s did not have a clear path for researchers to inform vulnerabilities; According to Bob, the company once had a list of “security.txt” files, but disappeared only months after being published.
Without a direct dissemination channel, Bob had to dig through LinkedIn for staff names and repeatedly call the headquarters until someone finally responded.
This prolonged process suggests that other researchers can surrender long before their findings reach the right people.
Even after McDonald’s replaced his password system with a login -based login, there was another supervision.
When altering “logging in” to “register” in the URL, Bob was able to create new accounts with full access.
Worse, when registering, the system sent by email simple text passwords: an discredited practice for decades due to the risks it creates for identity theft and misuse.
While companies on the McDonald’s scale face unique challenges in the implementation of safe systems, such basic failures raise difficult questions about priorities.
This is not the first time that McDonald’s faces the scrutiny of weak safeguards, since only one month before, a different problem came to light when a platform that stores private data was protected by the password “123456”.
When failures are repeatedly so easy to exploit, it raises doubts about whether the firewalls, security suites or even internal routine reviews are applied consistently.
For a corporation with global scope, lapses of this type have consequences beyond marketing assets, since employee information and customers could be at stake.
According to reports, McDonald’s set most of the vulnerabilities marked by Bob, but the company has not restored a reliable report channel for future revelations.
Without one, the risk remains that they will overlook or ignore serious failures until they are exploited.
Via Hardware Toms
