Security researcher driven by free nuggets unearths McDonald's security flaw — changing 'login' to 'register' in URL prompted site to issue plain text password for a new account

2 weeks ago 24
McDonalds storefront
(Image credit: Getty / Bernd Obermann)

"Would you like to access sensitive information?" might be the new "Would you like fries with that?" A security researcher called "BobDaHacker" revealed how they went from scoring free McNuggets via the fast food chain's mobile app to repeatedly gaining access to a McDonald's platform meant only for employees and franchisees.

"The McDonald's Feel-Good Design Hub is their central platform for brand assets and marketing materials - used by teams and agencies across 120 countries. It used to be 'protected' by a client-side password. Yes, CLIENT-SIDE," BobDaHacker said. "After I reported this, they took 3 months to implement a proper account system with different login paths for McDonald's employees (using their EID/MCID) and external partners ... Except there was still an issue. All I had to do was change 'login' to 'register' in the URL" to create a new account that could access the platform.

Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Read Entire Article