A recent series of vulnerabilities in McDonald’s digital infrastructure revealed exposed executive data, free food exploits, and weaknesses in the company’s security measures. The issues began with a simple app glitch that led to a months-long trial, culminating in the researcher BobDaHacker being able to cold-call the company’s headquarters while mentioning security employees found on LinkedIn.
The vulnerabilities affected multiple platforms, including the Design Hub, which was used by teams in 120 countries. A client-side password for protection was used, making it easy for users to access confidential materials intended for internal use only. The API also provided guidance to users on missing fields, making account creation alarmingly easy.
Further issues included exposed Magicbell API keys and secrets, listable Algolia search indexes, and employee portals that allowed basic crew member accounts to access TRT, a corporate tool. A severe security vulnerability in McDonald’s AI-powered hiring system exposed 64 million job applicants’ personal data through weak security using the password “123456.”
In the aftermath, most vulnerabilities were addressed, but some may linger. The researcher emphasized the importance of maintaining an up-to-date security.txt file, providing direct security contacts, and launching a bounty program to encourage ethical disclosures. This incident highlights the perils of lax security in global corporations and the lengths researchers go to protect them.
To minimize risks, experts recommend safely detonating suspicious files to uncover threats and cut incident response time. With an ANYRUN sandbox trial, investigators can start their investigations without causing harm to their organization or others.
Source: https://cybersecuritynews.com/mcdonalds-free-nuggets-hack