A white-hat hacker, known as Bobdahacker, has discovered critical security flaws in McDonald’s staff and partner portals. The issues allowed anyone to order free food online, gain admin rights to marketing materials, and potentially access corporate email accounts.
Bobdahacker first noticed the problem with McDonald’s online delivery app, which only ran client-side checks for credit points but no server-side checks. She also found that the company lacked a valid security.txt file, making it difficult for researchers to report vulnerabilities.
When Bobdahacker contacted McDonald’s security staff on LinkedIn, she received a response that they were “too busy” to fix the issue until she pointed out the potential for free food. The company eventually addressed the problems but not before three months had passed.
Further investigation revealed that McDonald’s marketing materials and ordering system contained several security vulnerabilities, including exposure of MagicBell API keys and secrets, allowing attackers to access user information and create mischief. Even staff portals were vulnerable due to a faulty OAuth implementation.
The issues also affected CosMc’s, a coffee shop brand launched by McDonald’s in 2023. Researchers found that promotional membership coupons could be easily reset and the wording changed at will.
While McDonald’s appears to have fixed most of these issues, Bobdahacker notes that the Feel-Good Design Hub remains insecure for registrations. The company has not yet released a security.txt file for researchers to use if they find further vulnerabilities.
Recent research also exposed weaknesses in McDonald’s AI chatbot Olivia, which was found to be easily hackable using a password of 123456. The incident highlights the need for ongoing security efforts to protect sensitive information and prevent exploitation by malicious actors.
Source: https://www.theregister.com/2025/08/20/mcdonalds_terrible_security