![[Download] Intuitive 3D Modeling | Abstract Sculpture | FLIGHT | DANA KRYSTLE](https://techcratic.com/wp-content/uploads/2025/08/1755630966_maxresdefault-360x180.jpg)
![for Tesla Model 3 2025 Dashboard Cover,[Anti-Glare and Dustproof] Suede Dashboard Pad…](https://techcratic.com/wp-content/uploads/2025/08/61yHoBc6VfL._AC_SL1500_-360x180.jpg)
2025-08-20 08:33:00
www.pcgamer.com
McDonald’s has once again hit the headlines with a series of cybersecurity fails, this time discovered by security researcher BobDaHacker. After alerting the company to the possibility of free chicken nuggets by taking advantage of its client-side only reward point validation system, only to be told by a software engineer they were “too busy” to take a report, the intrepid security expert decided to take a closer look at McDonald’s cybersecurity overall—and came away with a litany of potential breach points.
First up was the McDonald’s Feel-Good Design Hub, a central platform for brand assets and marketing materials (via Tom’s Hardware). BobDaHacker reported to the company that its client-side password policy was a potential security risk, which McDonald’s duly began working on over the next three months.
However, after it was finished, BobDaHacker took a look at its new login system, only to discover that all they had to do was “change ‘login’ to ‘register’ in the URL” in order to sign up for an account. The password Bob received was then emailed to them in plaintext, and after logging in they were able to access a large number of materials, some of which were marked “highly confidential and proprietary information.”
BobDaHacker also discovered that the company’s Magicbell APR key was left viewable in the JavaScript, potentially allowing hackers to list every user in the system and send official-looking notifications to anyone on the list, which they claim could be used to “run a phishing campaign with McDonald’s own infrastructure.” They duly notified the company, which has since removed and rotated the keys.
Perhaps most shocking was the level of access a McDonald’s crew member could obtain with a basic account. BobDaHacker claims that not only could base-level access be used to read internal corporate documents and look up the personal emails of any McDonald’s employee, from store managers to the CEO, but the GRS (Global Restaurant Standards) tool could be used to update any page content with HTML, via an API endpoint with no cookies.
BobDaHacker says they used this capability to display a large image of Shrek on the GRS homepage, before changing it back after a minute. Well, Shrek is an onion fan after all, and McDonald’s must get through millions of them.
The security researcher then attempted to use available security contact info to report all of these potential breach points, but found it was outdated, with no easy way to inform the company of its cybersecurity failings. As a result, they resorted to calling McDonald’s HQ, before being stymied by an automated phone system that required them to say the name of someone they wanted to be connected to.
Undetterred, they began namedropping random security employees they’d discovered on LinkedIn, before eventually being called back with information on where to report the issues.
BobDaHacker now claims that most of the vulnerabilities have since been fixed, but McDonald’s still hasn’t established a proper security reporting channel, and the crew member who helped them research the employee authentication vulnerabilities was let go for “security concerns from corporate.” They still believe that some of the flagged tools might be accessible, and suggest that McDonald’s should consider a bug bounty program to prevent further exploits.
All of which brings to mind the discovery of serious security lapses in the McDonald’s AI-based McHire platform, which until recently could be logged in to via an administrator account with the username and password “123456”. It appears McDonald’s security practices could do with an update, although on a personal note, I reckon they should keep some of their menu items just the way they are.
I’m particularly partial to a quarter pounder, although I think I’ll be leaving the login-based reward points scheme alone for now.
Best PC build 2025
Take your gaming to the next level! The Redragon S101 RGB Backlit Gaming Keyboard is an Amazon’s Choice product that delivers incredible value. This all-in-one PC Gamer Value Kit includes a Programmable Backlit Gaming Mouse, perfect for competitive gaming or casual use.
With 46,015 ratings, an average of 4.6 out of 5 stars, and over 4K+ bought in the past month, this kit is trusted by gamers everywhere! Available now for just $39.99 on Amazon. Plus, act fast and snag an exclusive 15% off coupon – but hurry, this offer won’t last long!
Help Power Techcratic’s Future – Scan To Support
If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.
As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!
|
BITCOIN
bc1qlszw7elx2qahjwvaryh0tkgg8y68enw30gpvge Scan the QR code with your crypto wallet app |
|
DOGECOIN
D64GwvvYQxFXYyan3oQCrmWfidf6T3JpBA Scan the QR code with your crypto wallet app |
|
ETHEREUM
0xe9BC980DF3d985730dA827996B43E4A62CCBAA7a Scan the QR code with your crypto wallet app |
Please read the Privacy and Security Disclaimer on how Techcratic handles your support.
Disclaimer: As an Amazon Associate, Techcratic may earn from qualifying purchases.
