McDonald's security breach exposed through a clever hack: Changing 'login' to 'register' in the URL led to the website revealing a new account's plain text password, driven by a researcher's pursuit for free nuggets.
McDonald's Suffers Another Security Gaffe: Researcher Gains Access to Sensitive Platform
A security researcher known as BobDaHacker has exposed another security lapse at McDonald's, this time involving the company's internal platform, the "Feel-Good Design Hub." The platform is used by McDonald's teams and agencies across 120 countries to manage sensitive information, including brand assets and marketing materials.
The latest incident sheds light on the fast-food giant's inadequate security measures and reporting processes.
Lack of Proper Security Contact Channels
Initially, McDonald's had a security.txt file—a standard at many companies for vulnerability reporting. However, the file was removed two months prior to BobDaHacker's discovery, leaving no clear, updated way for researchers to report issues. As a result, BobDaHacker had to resort to cold-calling McDonald's headquarters and using LinkedIn to find security employees to report vulnerabilities.
Delayed and Partial Fixes
After making contact, McDonald's addressed "most of the vulnerabilities" reported by BobDaHacker. However, some fixes were incomplete, and the company reportedly did not properly engage with researchers or establish an ongoing clear reporting process.
Internal Consequences
Despite helping with investigations, a collaborator of BobDaHacker was dismissed from McDonald's, which might discourage future cooperation from security researchers.
Specific Example of Poor Security Practices
One of the vulnerabilities discovered by BobDaHacker was the new account creation process in the "Feel-Good Design Hub," which sent passwords associated with new accounts in plain text. Additionally, the platform was secured with a weak password, "123456," in a previous instance. Other flaws allowed unauthorized free ordering, admin access to marketing materials, and exposure of corporate email accounts usable for phishing.
Broader Security Weaknesses
This incident is not the first time McDonald's has faced security issues. Other related incidents showed poor identity and access management, such as weak passwords, inactive admin accounts (last used in 2019), and misconfigured AI chatbots exposing data of millions of job applicants.
Improvements and Next Steps
McDonald's took three months to implement a proper account system with different login paths for employees and external partners following the discovery of these vulnerabilities. However, the absence of a proper security disclosure channel and incomplete remediation highlight systemic shortcomings in their vulnerability management processes.
Readers can follow Tom's Hardware on Google News to get their updates in their feeds, or subscribe to the Tom's Hardware Newsletter for up-to-date news, analysis, and reviews.
[1] BobDaHacker's blog post detailing the incident: https://bobdahacker.com/2022/02/mcdonalds-feel-good-design-hub-vulnerabilities/ [2] McDonald's response to the incident: https://www.mcdonalds.com/us/en-us/about-us/news/2022/mcdonalds-responds-to-security-vulnerability-report.html [3] Previous security lapses at McDonald's: https://www.cnbc.com/2021/07/14/mcdonalds-data-breach-exposes-personal-information-of-millions-of-job-applicants.html [4] Misconfigured AI chatbots exposing data: https://www.bleepingcomputer.com/news/security/mcdonalds-ai-chatbots-exposed-millions-of-job-applicant-emails-and-resumes/ [5] The Register's coverage of the incident: https://www.theregister.com/2022/02/23/mcdonalds_feel_good_design_hub_hacked/
Read also:
- Strategies for Adhering to KYC/AML Regulations in India, a Leading Fintech Center (2024)
- Insecure coding practices permeate numerous businesses, potentially leading to significant future difficulties in ensuring system safety.
- Allocating €33 million to combat cyber threats in Latvia
- Chicago Sports Network assigns significant task to Mobile TV Group's 56FLEX for broadcasting sports events
