I Hacked McDonald's (Security Contact Was Harder to Find Than Secret Recipe)

Summary

They fixed the vulnerabilities after I literally had to cold-call their HQ pretending to know security employees. This is that story. It Started With Free Nuggets So I found out the McDonald's app wasn't checking server-side if you actually had enough reward points. Just client-side validation. I immediately tried to report it. That turned into a whole saga. I managed to reach a software engineer who said he was "too busy" to take my report and would find someone else. I told him it was something for free food, so I guess he looked at the code and figured it out himself. The bug got fixed days later. Maybe he passed it along, maybe he fixed it himself - but at least it got patched. Then The Real Hunt Began After that experience, I kept digging. And McDonald's security was... interesting. The Design Hub Situation The McDonald's Feel-Good Design Hub is their central platform for brand assets and marketing materials - used by teams and agencies across 120 countries. It used to be "protected" by a client-side password. Yes, CLIENT-SIDE. After I reported this, they took 3 months to implement a proper account system with different login paths for McDonald's employees (using their EID/MCID) and external partners. Except there was still an issue. All I had to do was change "login" to "register" in the URL:https://admin.me.mcd.com/feel-good-design/register The endpoint was wide open. When you tried to register without all the fields, it would literally tell you what was missing. So I added them: "User has successfully registered" - That was surprisingly easy And here's the interesting part - they email you your password in plaintext: They email you the password in plaintext. In 2025. I just retested this to make sure, and it still works. If they want people accessing their confidential materials, I guess that's their choice, This is from a Video in the Design Hub: "McDonald's highly confidential and proprietary information. For internal use by McDonald's system only and not ...