A security researcher named BobDaHacker recently reported that he had discovered a number of security vulnerabilities related to global fast food giant McDonald’s.
His investigation into the company’s digital security system began when he discovered that the points value on the McDonald’s app was not stored on the company’s system, but only on the client-side.
He discovered the issue when he tried to redeem points for free McNuggets. He then reported the issue to McDonald’s IT, who then fixed it.
However, Bob continued to search for other security vulnerabilities through the company’s IT infrastructure, and discovered that one of their websites, the Feel-Good Design Hub, uses a login system that stores password details on the computer.
This means that after the login ID and password are used, the data is stored in the web browser, and the website’s login system does not cross-reference with the server-side system to verify the identity.
This issue was only fixed a few months after the incident, but by changing the word “login” to “register” in the website’s admin URL, it was discovered that anyone could register to use the website.
Worse still, when Bob registered for an account on the website, the password was sent to the user in plaintext input. Normally, for the account owner’s security, passwords would not be sent directly to the user via email, to reduce the risk of the account being compromised unknowingly.
In addition, there are many other security vulnerabilities involving JavaScript and open APIs that allow anyone with the knowledge to use this information to impersonate McDonald’s and defraud others. Combined with the easily accessible McDonald’s marketing assets, anyone could be fooled by phishing emails sent by unscrupulous parties.
He also showed examples of the damage that can be done to an image with just access to this website.
All of these vulnerabilities were reported by BobDaHacker to McDonald’s, and have been fixed. The registration website has been removed, and it appears that the alleged JavaScript issue has also been fixed.
But that also almost became a problem because he had difficulty contacting any individuals at McDonald's who could understand the discoveries he had made.