Researcher finds a free nuggets exploit exposed much deeper flaws within McDonald’s systems

McDonald’s apparently has no obvious path for researchers to report vulnerabilities

A URL change from “login” to “register” granted account access

What began as an attempt to claim free food through the McDonald’s app rewards system turned into something far more revealing for one expert.

A security researcher known as “BobDaHacker” discovered serious weaknesses in McDonald’s online systems while trying to redeem a reward for free McNuggets through the company’s mobile app.

The flaw ran deep, granting access to the “Feel-Good Design Hub,” a central platform for marketing assets and brand materials used by employees and agencies in more than 120 countries.

Reporting security issues the hard way

Attempts to disclose these flaws highlighted another concern: McDonald’s had no clear path for researchers to report vulnerabilities - according to Bob, the company once had a “security.txt” file listing contacts, but it disappeared just months after being posted.

With no direct disclosure channel, Bob had to dig through LinkedIn for staff names and repeatedly call headquarters until someone finally responded.

This drawn-out process suggests other researchers may give up long before their findings reach the right people.

Even after McDonald’s replaced its password system with an account-based login, another oversight remained.

By altering “login” to “register” in the URL, Bob was able to create new accounts with full access.

Worse still, when registering, the system emailed plain-text passwords - a practice discredited for decades because of the risks it creates for identity theft and misuse.

While companies at McDonald’s scale face unique challenges in rolling out secure systems, such basic failures raise difficult questions about priorities.

This is not the first time McDonald’s has faced scrutiny for weak safeguards, as just a month earlier, a different issue came to light when a platform storing private data was protected by the password “123456.”

When flaws are repeatedly so easy to exploit, it raises doubts about whether firewalls, security suites, or even routine internal reviews are consistently applied.

For a corporation with global reach, lapses of this kind have consequences beyond marketing assets, as employee and customer information could be at stake.

McDonald’s reportedly fixed most of the vulnerabilities flagged by Bob, but the company has not reestablished a reliable reporting channel for future disclosures.

Without one, the risk remains that serious flaws will be overlooked or ignored until exploited.

Via Toms Hardware