Every good story starts with something small. For cybersecurity researcher BobDaHacker, it began with a craving for chicken nuggets. What he found, however, went far beyond free food.

A quick test of McDonald's mobile app turned into an exploration of fragile systems, exposed data, and surprising oversights inside one of the world's biggest fast-food giants. This is not a tale of malicious intent, it's a lesson about how even the biggest corporations can fumble the basics of security.

The Free Nuggets Flaw

The mobile app only performed client-side validation of reward points, meaning the app itself, on the user's device, decided if an account had enough points. This lack of server-side enforcement allowed anyone to manipulate the request and claim free items like chicken nuggets with insufficient points, a basic yet critical security failure.

When Bob reported this, an engineer initially brushed it off as "too busy," though the bug was fixed just days later — likely after further review.

Reporting Woes

McDonald's lacked a valid security.txt file — a simple, standardized document that should outline how security researchers can report vulnerabilities.

With no formal reporting path, Bob resorted to cold-calling McDonald's HQ, name-dropping randomly found security employee names from LinkedIn — until someone finally took the findings seriously.

From Client-Side Password to Open Registration

The Feel-Good Design Hub, a global repository for brand assets used in marketing across 120 countries, initially used only a client-side password — a fundamentally weak control.

Three months post-reporting, McDonald's added an account system differentiating between internal (EID/MCID) and external logins. Still, Bob discovered that changing the URL from /login to /register bypassed the proper flow entirely and exposed an open registration endpoint.

The registration API even returned user guidance on missing required fields, making forging an account disturbingly straightforward. Once registered, the system sent the user's password in plaintext via email — a glaring lapse in modern security standards.

Exposed Secrets

Within the Design Hub's JavaScript loaded in the client, Bob found MagicBell API key and secret exposed in plaintext. These secrets enabled potentially malicious actors to:

  • List all users
  • Send phishing notifications via McDonald's own notification infrastructure

Additionally, he identified publicly listable Algolia search indexes revealing sensitive user data — names, email addresses and access request records — that were not correctly protected.

Crew Accounts Gaining Executive-Level Access

Testing with a crew member account, Bob gained access to TRT (trt.mcd.com) — a corporate portal meant for limited internal use. From there, he could:

  • Search for any employee globally — from crew level up to the CEO
  • Retrieve personal email addresses
  • Use an "Impersonation" feature by entering an employee ID or name to access profiles and data

Global Restaurant Standards (GRS)

The GRS portal, used by franchisees for global operational guidelines, lacked proper authentication for its admin functions. Through an API endpoint lacking authentication or cookies, Bob was able to inject arbitrary HTML — demonstrated by briefly defacing the homepage with a "You've been Shreked" message before restoring it.

Additional Flaws

Beyond the major platforms, Bob discovered:

-> Stravito misconfiguration exposed internal corporate documents to low-level staff, bypassing intended access restrictions.

-> On the CosMc's experimental restaurant app:

  • A "new member" coupon meant to be one-time-use was server-side unvalidated — allowing unlimited redemptions by calling the API directly.
  • Arbitrary data could be injected into order requests, revealing gaps in input validation controls.

The Bigger Picture

McDonald's patched many of these problems after Bob's disclosures, but the process raised uncomfortable questions. Why were critical systems left exposed for so long? Why was the reporting path so broken that a researcher had to cold-call HQ?

Even more concerning: a crew member who helped Bob reportedly lost their job due to "security concerns." Instead of encouraging collaboration, the response discouraged it.

Not the First Time

This was nOt an isolated incident. Months earlier, McDonald's AI-powered hiring bot, "Olivia," was found using the laughably weak password "123456." That slip exposed the data of up to 64 million job applicants — names, emails, phone numbers, and more.

While the vendor behind Olivia fixed the issue and introduced a bug bounty program, the pattern is clear: McDonald's digital infrastructure has had repeated lapses in basic security hygiene.

Lessons Learned

  • Validate on the server, not the client. Client-side checks can be manipulated.
  • Never expose secrets in code. API keys belong in secure storage, not in JavaScript.
  • Enforce proper access control. Crew members shouldn't be able to reach executive-level systems.
  • Encrypt everything. Passwords in plaintext emails are an open invitation to disaster.
  • Build a disclosure path. A simple security.txt file or bug bounty program can turn headaches into collaborations.

Conclusion

A quest for free nuggets turned into a full-blown corporate tech audit. From exposed keys to privilege escalation, the story underscores how small oversights can snowball into major risks.

The real takeaway is not about nuggets or fries — it's about trust. Trust between companies and their customers. Trust between corporations and the researchers trying to help them. And trust that the digital systems we rely on every day are built with more care than a happy meal toy.

Stay One Step Ahead of Cybercriminals!

🔹 The best defense is staying informed and proactive!

🔹 Follow me for more insights on the latest cyber threats, attack trends and security best practices.

🔗 Let's connect and fortify our digital world together!