Security researcher BobDaHacker has revealed a shocking vulnerability in McDonald’s Feel-Good Design Hub platform, which exposed sensitive information to unauthorized users. The issue was discovered when BobDaHacker tried to use the app to claim free McNuggets and found that changing the ‘login’ to ‘register’ URL prompted the site to send his password in plain text.
The researcher reported the issue to McDonald’s after three months, but it took the company an additional quarter to resolve. However, even with the fix, BobDaHacker found that the company had bypassed the security flaw by changing a single word in the URL.
Furthermore, BobDaHacker discovered that McDonald’s had previously displayed a security.txt file with contact information, which was removed just two months after it was added. The researcher tried to report vulnerabilities through LinkedIn and repeatedly called McDonald’s HQ hotline, eventually finding someone important enough to connect him to an actual security channel.
While McDonald’s has since fixed “most of the vulnerabilities,” the company let go of BobDaHacker’s friend who helped investigate some of the issues. This lack of a proper security reporting channel may deter other researchers from disclosing future findings.
Source: https://www.tomshardware.com/tech-industry/cyber-security/prompted-by-free-nuggets-security-researcher-uncovers-staggering-mcdonalds-internal-platform-vulnerability-changing-login-to-register-in-url-prompted-site-to-issue-plain-text-password-for-a-new-account