Researcher uncovers McDonald’s security flaw - ShiftDelete.Net Global

ShiftDelete.net
FOLLOW US

Researcher uncovers McDonald’s security flaw

McDonald’s security flaw exposed after researcher bypassed logins by editing a URL, uncovering plain-text passwords and global employee data.

McDonald’s-security-flaw-1

A researcher calling himself BobDaHacker says a hunt for free McNuggets through McDonald’s mobile app led him to a serious McDonald’s security flaw.

The issue came from the “Feel-Good Design Hub,” a platform used by McDonald’s teams and agencies in more than 120 countries. At first, it relied on a client-side password. When Bob flagged the weakness, McDonald’s added an account-based login. But that fix was easy to bypass. By changing “login” to “register” in the URL, Bob created new accounts with full access.

From nuggets to plain-text passwords

McDonald’s-security-flaw-2

Each new registration triggered an email with the account password written in plain text. In 2025, that kind of practice is one of the clearest signs of poor security.

Exploring further, Bob found more holes. He could view “highly confidential” marketing material and even search for any McDonald’s employee worldwide, complete with email addresses.

Microsoft emergency Windows update released for Windows 10 and 11

Microsoft emergency Windows update released for Windows 10 and 11

Microsoft emergency Windows update fixes reset and recovery failures on Windows 10 and 11. Install KB5066189/188 now to avoid issues.

Reporting the issue turned into its own hack

Bob then tried to report the problem. It once had a security.txt file with contact details, but removed it months later. With no direct reporting channel left, Bob got creative.

“I called McDonald’s HQ,” he explained. “The hotline asks for the name of the person you want. So I started naming random security staff I found on LinkedIn until someone finally called me back.”

McDonald’s response

Bob says McDonald’s has fixed most of the vulnerabilities. Still, he criticized the company for failing to set up a proper disclosure process and for cutting ties with a collaborator who helped him during the investigation. Without a reliable reporting path, future researchers might walk away instead of pushing to disclose flaws.

Another McDonald’s security stumble

Just last month, another McDonald’s platform turned up with a password set to “123456.” Combined with Bob’s findings, the picture is clear: one of the world’s biggest brands still struggles with basic security.

What began as a simple quest for free nuggets ended with BobDaHacker exposing how easily McDonald’s systems could be breached. Ronald wouldn’t be lovin’ it.

McDonald’s
McDonald’s App
security flaw

SDN Comments 0 Comments

Comment

HOW TOAll

Related News

Apple Vision Pro Powered by the Apple M5
Apple Vision Pro Powered by the Apple M5
The new Xbox may be more powerful than PS6
The new Xbox may be more powerful than PS6
What does the Apple M5 chip offer?
What does the Apple M5 chip offer?
Apple M5 iPad Pro is here to be the most powerful
Apple M5 iPad Pro is here to be the most powerful

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio