10:30
Hacker posted a Shrek image in McDonald’s internal system to expose security flaws
16:57
All the highlights from Made by Google 2025
11:32
Search engines expose hundreds of thousands of Grok user conversations
18:46
China is building a robot capable of giving birth
13:57
WhatsApp Beta introduces AI-Powered message editing
13:37
Microsoft brings AI-powered auto-fill to Excel spreadsheets
10:30
Hacker posted a Shrek image in McDonald’s internal system to expose security flaws
16:57
All the highlights from Made by Google 2025
11:32
Search engines expose hundreds of thousands of Grok user conversations
18:46
China is building a robot capable of giving birth
13:57
WhatsApp Beta introduces AI-Powered message editing
13:37
Microsoft brings AI-powered auto-fill to Excel spreadsheets
10:30
Hacker posted a Shrek image in McDonald’s internal system to expose security flaws
16:57
All the highlights from Made by Google 2025
11:32
Search engines expose hundreds of thousands of Grok user conversations
18:46
China is building a robot capable of giving birth
13:57
WhatsApp Beta introduces AI-Powered message editing
13:37
Microsoft brings AI-powered auto-fill to Excel spreadsheets
10:30
Hacker posted a Shrek image in McDonald’s internal system to expose security flaws
16:57
All the highlights from Made by Google 2025
11:32
Search engines expose hundreds of thousands of Grok user conversations
18:46
China is building a robot capable of giving birth
13:57
WhatsApp Beta introduces AI-Powered message editing
13:37
Microsoft brings AI-powered auto-fill to Excel spreadsheets
A “white hat” hacker uncovered a series of serious vulnerabilities in McDonald’s internal systems and in the fast-food giant’s mobile app.
According to BobDaHacker, the app contained a flaw that allowed users to place orders without paying. The bug let payments go through using non-existent bonus points.
Attempts to report the issue went nowhere, there was no clear submission form. Even contacting one of McDonald’s own engineers didn’t resolve the matter quickly, and the bug was only fixed several days later.
BobDaHacker then uncovered new vulnerabilities, this time in McDonald’s internal network:
- He gained access to the restricted section of McDonald’s Feel-Good Design Hub — a portal for staff and ad agency partners across 120 countries, used to share marketing materials.
- Accessing the portal turned out to be trivial. Although McDonald’s patched the flaw three months later, BobDaHacker was able to break in again. Simple manipulations let him create a new account and log in without restriction.
- Another related vulnerability: keys to services like MagicBell and Algolia were found in the portal’s code. These could potentially have allowed attackers to pull user lists, send messages or notifications on behalf of McDonald’s, and access personal user data.
And that wasn’t all
It turned out that employees at different levels had overlapping access to corporate portals. Systems built for specific job tiers were not properly segmented, meaning a junior staff member, using their account, could enter portals meant for senior employees or even executives.
In simple terms, regular employees could access systems theoretically reserved for management. This could have exposed internal documents and sensitive staff information.
The researcher notes that reaching McDonald’s with details of these vulnerabilities remains difficult. The company still lacks a security.txt file — the industry standard for making it easier for security researchers to report issues.
To draw attention to the flaws, BobDaHacker said he not only called McDonald’s headquarters, but also posted a picture of Shrek on one of the company’s internal platforms.
Editor’s pick
