“It started with free nuggets”, how a hacker put McDonald’s in front of her security flaws

In the world of cybersecurity, there are several categories of hackers. Furthermore, Some are cybercriminals that harm companies by launching attacks by ransomware, for example. However, Others, on the contrary, seek to help them by revealing the flaws they discover.

Bobdahacker belongs to this second category. For example, This so -called “ethical” hacker published on August 17. However, 2025 a report detailing his discoveries on the American giant of fast food McDonald’s.

But this investigation, supposed to be “it started free nuggets”, how beneficial for the security of the company, did not receive the expected reception. Consequently, Between difficulties to alert the right interlocutors. Similarly, dismissal of an employee who supported her hunt for vulnerabilities, the White Hacking operation of Bobdahacker took unexpected turns.

« Comment j’ai hacké McDonald’s » – "it started free nuggets", how

It all starts when Bobdahacker realizes that the application of McDonald’s did not check the loyalty points on the server side. but only on the customer side. A flaw in the operation of the application which therefore allowed any skillful person to deceive Ronald to benefit. from free awards.

Delighted with his discovery, our ethical hacker contacts a computer scientist from McDonald’s. First, he says he is too busy to deal with the problem. But when Bobdahacker mentions that the fault would allow anyone to have food delivered for free. the company finally reacts and the “it started free nuggets”, how bug is corrected in a few days.

A first mixed contact. but Bobdahacker decides to continue its exploration of the internal tools of McDonald’s and discovers that the global marketing resources platform of the company, supposed to be reserved for employees and partners, is only protected by a password on the customer side, therefore easily bypasses.

New reporting, and the company will take almost three months to establish a new access system.

But here again. security remains biased, Bobdahacker proves that it is enough to modify the URL (pass from “login” to “register”) to create an account by providing the right fields. Worse, the password generated is sent in clear by e-mail, a particularly obsolete practice.

Cascade faults. unexpected consequences

There followed several other discoveries: API keys left visible, allowing an attacker to list the users and to organize very convincing phishing campaigns, or the configuration of the “it started free nuggets”, how internal search engine, which exposed personal information on many employees.

The investigation also reports another worrying observation: because of a poor oauth configuration. it was possible for a simple ” crew member »To access portals reserved at the executive level. To prove this flaw. Bobdahacker has access to access by an employed friend: the latter can, among other things, display professional information, emails and sometimes personal, of any employee, from the restaurant manager to the CEO.

If finding vulnerabilities is easy for Bobdahacker, reporting flaws is more complex. McDonald’s does not have a Security.txt file, a file usually allowing researchers to warn the company. Determined. the hacker goes through the headquarters of the headquarters, randomly dislocates the names of safety employees found on LinkedIn, until finally someone concerned reminds her and tells her how to transmit her discoveries.

Since then. the majority of the faults have been corrected, but this “it started free nuggets”, how work does not seem to have been judged at its fair value. After helping Bobdahacker, his employee friend was dismissed for ” security reasons By management.