Redazione RHC : 19 August 2025 22:26
Researcher BobDaHacker discovered that McDonald’s app rewards point validation was only handled client-side, allowing users to claim free items like nuggets even without enough points. BobDaHacker reported the issue, but a software engineer dismissed it as “too much effort,” although the bug was fixed days later, likely after the engineer reviewed it.
The researcher subsequently dug deep into McDonald’s systems and discovered vulnerabilities in the Design Hub, a platform used for brand assets by teams in 120 countries. This platform relied on a client-side password for protection.
The API also provided guidance to users about any missing fields, making account creation incredibly simple. Even more concerning was the fact that passwords were sent via email in clear text, an extremely risky practice in 2025.
After reporting the issue, the company undertook a three-month review to implement proper logins for employees and partners. However, a significant flaw remained: simply replacing “login” with “register” in the URL allowed access to an open endpoint.
Subsequent tests confirmed that the endpoint was still accessible, allowing unauthorized access to confidential materials intended solely for internal use, BobDaHacker said.
JavaScript files in the Design Hub revealed further details: exposed Magicbell API keys and secrets allowed users to be listed and phishing notifications to be sent via McDonald’s infrastructure. These were rotated after the report. Algolia search indexes were also listable, exposing personal data such as names, email addresses, and access requests.
Employee portals also proved vulnerable. McDonald’s team members’ basic accounts could access TRT, a corporate tool, to search global employee data, including executive emails, and even use an “impersonation” feature.
The Global Restaurant Standards (GRS) panel lacked authentication for administration functions, allowing anyone to inject HTML via API. To demonstrate this, the researcher briefly changed the homepage to “You’ve Been Shreked” before restoring it.
Additional issues included misconfigured logins, the exposure of internal documents to low-level staff, and exploits in CosMc’s experimental restaurant app, such as unlimited coupon use and arbitrary order data injection.
Recall that last month, a serious security vulnerability in McDonald’s AI-based hiring system exposed the personal data of 64 million applicants through weak security using the password “123456.”
Redazione