Hacking Was the Easy Part, Notifying McDonald’s the Extremely Difficult Bit
A security researcher gained access to McDonald’s global marketing portal by changing a single word in its URL, uncovering a slew of additional vulnerabilities. The hard part was notifying the burger giant about the flaws, says self-described ethical hacker “BobDaHacker.”
See Also: What Manufacturing Leaders Are Learning About Cloud Security – from Google’s Frontline
After already poking around McDonald’s infrastructure and finding a flaw that could allow hackers to obtain free food through the fast food corporations’ app, the researcher additionally found a central platform for marketing materials that McDonald’s dubs the “Feel-Good Design Hub.” The platform allowed unauthorized access by switching the site address from “login” to “register.”
Reporting to corporate the flaws was the hard part, the researcher said in a Monday blog post, adding that McDonald’s fired an employee who helped in the research.
“McDonald’s had a security.txt file with contact info. But they removed it two months after adding it,” BobDaHacker wrote in his blog. “I only found it through the Wayback Machine, and by then it was outdated.”
Security.txt is a proposed standard for companies to give white hat hackers directions for disclosing security flaws through a text file embedded into a directory folder designated .well-known. It has the endorsement of several government agencies including the U.S. Cybersecurity and Infrastructure Security Agency, the Australian Cyber Security Center and major companies such as Google, Facebook and Cloudflare.
BobDaHacker resorted to cold-calling corporate headquarters and using the names of security staff found on LinkedIn to get the findings acknowledged. “I kept calling, saying random security employee names until finally someone important enough called me back and gave me an actual place to report these issues,” they wrote. McDonald’s did not respond to a request for comment.
Enlisting the help of a friend who worked at a restaurant, BobDaHacker found that low-level credentials given to “crew members” – employees manning the cash register or working the grill – worked to obtain the email address of any McDonald’s employee across the globe, which typically were personal emails. “My friend who helped me research the OAuth vulnerabilities was let go for ‘security concerns from corporate,'” BobDaHacker recounted.
On the Feel-Good Design Hub, the researcher found an API key used for sending out employee notifications. With the key, an attacker could have “basically run a phishing campaign with McDonald’s own infrastructure.”
On a platform dedicated to franchise owners called Global Restaurant Standards, BobDaHacker found there was no authentication for admin functions, leading them to temporarily posting an image of cartoon character Shrek on the homepage. A knowledge management platform was configured such that anyone with a legitimate credential could read “internal corporate documents.”
This is McDonald’s second time in just as many months that researchers have found security flaws in its infrastructure. Researchers Ian Carroll and Sam Curry in July discovered that an artificial intelligence-fueled hiring chatbot tool accepted the password “123456” and that a related API flaw gave access to applicant records. In that case, McDonald’s was responsive to queries, blaming the flaw on Paradox, the AI firm behind the chatbot (see: Breach Roundup: I’m Lovin’ McDonald’s ‘123456’ Password).