"Would you like to access sensitive information?" might be the new "Would you like fries with that?" A security researcher called "BobDaHacker" has just revealed how he went from scoring free McNuggets via the fast food chain's mobile app to repeatedly gaining access to a McDonald's platform meant only for employees and franchisees.
"The McDonald's Feel-Good Design Hub is their central platform for brand assets and marketing materials - used by teams and agencies across 120 countries. It used to be 'protected' by a client-side password. Yes, CLIENT-SIDE," BobDaHacker said. "After I reported this, they took 3 months to implement a proper account system with different login paths for McDonald's employees (using their EID/MCID) and external partners ... Except there was still an issue. All I had to do was change 'login' to 'register' in the URL" to create a new account that could access the platform.
Now, I'll be the first to admit that security reporters are often quick to condemn organizations that fail to address vulnerabilities approximately five minutes after their disclosure, even though very few of us have ever needed to develop and deploy software at the scale of a multi-billion-dollar corporation. That's hardly fair. But it's hard to believe McDonald's is taking the security of its "Feel-Good Design Hub" seriously when it takes an entire quarter to resolve a problem... only to have the fix bypassed by changing a single word in a URL. Ronald would be disappointed.
Even that might be excused because, again, developing and deploying software at scale is difficult. Things happen! But then BobDaHacker went on to point out that simply registering a new account prompted the Feel-Good Design Hub to send the password associated with that account in plain-text, even though we as a society have known better than that for decades at this point. And that wasn't even the most embarrassing thing about McDonald's security processes revealed in BobDaHacker's blog post!
"McDonald's HAD a security.txt file with contact info. But they removed it 2 months after adding it. I only found it through the Wayback Machine, and by then it was outdated. So, how do you report security vulnerabilities to a corporation with no security contact? I literally called McDonald's HQ and started dropping random security employee names I found on LinkedIn," Bob said. (Emphasis not added.) "The HQ hotline just asks you to say the name of the person you want to be connected to. So I kept calling, saying random security employee names until finally someone important enough called me back and gave me an actual place to report these issues."
Bob said that McDonald's appeared to fix "most of the vulnerabilities" they disclosed, but the company also let go of Bob's friend, who helped them investigate some of the vulnerabilities and "never established a proper security reporting channel." (I couldn't find a security.txt file on the company's website, and a search for "McDonald's security disclosure" doesn't return any relevant results, either.) That seems ill-advised, given that other researchers would probably give up on trying to disclose vulnerabilities long before Bob did. Having to search on LinkedIn and repeatedly call a hotline is not ideal.
It's been a little over a month since I reported on a different security gaffe affecting McDonald's. In that case, a platform with access to private information was secured with the password "123456." Now we know BobDaHacker was able to use the Feel-Good Design Hub to access a variety of resources, from "highly confidential and proprietary" marketing information to a service that could be used to "search for ANY McDonald's employee globally" and see their email address, among other things.
Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
