A series of critical vulnerabilities in McDonald’s digital infrastructure exposed severe security lapses across multiple systems. The flaws began with a client-side validation bug in the mobile app, allowing free food exploits, but escalated to far graver issues. The **Design Hub**, used by teams in 120 countries, relied on a client-side password and had an open registration endpoint, enabling unauthorized access to confidential brand assets. Plaintext password emails, exposed **Magicbell API keys**, and listable **Algolia search indexes** leaked employee and user data, including names, emails, and access requests.Employee portals were equally compromised: low-level staff could access the **TRT corporate tool** to search global employee details (including executives’ emails) and exploit an **impersonation feature**. The **Global Restaurant Standards (GRS) panel** lacked authentication, allowing API-based HTML injection, while misconfigured **Stravito access** exposed internal documents. A separate vulnerability in McDonald’s **AI-powered hiring system** exposed **64 million job applicants’ personal data** due to weak security (password: '123456'). Though most issues were patched post-disclosure, some endpoints remained accessible, and a collaborator was terminated over 'security concerns.' The incident highlights systemic failures in authentication, access control, and secure coding practices, with no bug bounty program or reliable reporting mechanism in place.
Source: https://cybersecuritynews.com/mcdonalds-free-nuggets-hack/
TPRM report: https://www.rankiteo.com/company/mcdonald's-corporation
"id": "mcd557081925",
"linkid": "mcdonald's-corporation",
"type": "Vulnerability",
"date": "8/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': ['Mobile App Users (Reward '
'Points Exploit)',
'Job Applicants (64 Million '
'Records in Hiring System)',
'Employees (Internal Data '
'Exposure)',
'CosMc’s App Users (Coupon '
'Abuse)'],
'industry': 'Restaurant / Hospitality',
'location': 'Global (120+ Countries)',
'name': 'McDonald’s Corporation',
'size': 'Large (Franchises and Corporate)',
'type': 'Multinational Fast Food Chain'}],
'attack_vector': ['Client-Side Manipulation (Mobile App Reward Points)',
'Unauthenticated API Endpoints (Design Hub, GRS Panel)',
'URL Manipulation (Login to Register Bypass)',
"Weak Authentication (Password '123456' in Hiring System)",
'Exposed API Keys (Magicbell, Algolia)',
'Impersonation Feature in Employee Portals',
'HTML Injection via Unauthenticated Admin APIs',
'Misconfigured Access Controls (Stravito, TRT Tool)'],
'data_breach': {'data_encryption': 'None (Plaintext Passwords, Weak '
'Authentication)',
'data_exfiltration': 'Unconfirmed (Potential via Exposed APIs '
'and Misconfigurations)',
'file_types_exposed': ['Internal Documents (Stravito)',
'Brand Assets (Design Hub)',
'Employee Records (TRT Tool)',
'Job Application Data (AI Hiring '
'System)'],
'number_of_records_exposed': '64,000,000 (Job Applicants) + '
'Undisclosed (Employees/Internal '
'Data)',
'personally_identifiable_information': ['Names',
'Emails',
'Access Requests',
'Job Application '
'Details (64 Million '
'Records)'],
'sensitivity_of_data': 'High (PII, Internal Communications, '
'Executive Emails)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employee Data (Emails, Access '
'Requests)',
'Internal Brand Assets',
'Job Applicant Data (64 Million '
'Records)',
'Order Data (CosMc’s App)']},
'description': 'A series of vulnerabilities in McDonald’s digital '
'infrastructure were discovered by security researcher '
'BobDaHacker, ranging from client-side reward point exploits '
'in the mobile app to exposed executive data, weak '
'authentication in internal tools, and misconfigured APIs. The '
'issues included plaintext password transmission, unauthorized '
'access to confidential materials, exposed API keys, and a '
'severe breach in the AI-powered hiring system affecting 64 '
'million job applicants. Many vulnerabilities were eventually '
'patched, but some may persist, and the company lacks a formal '
'bug bounty program or reliable reporting mechanism.',
'impact': {'brand_reputation_impact': ['Negative Publicity Due to Lax '
'Security Practices',
'Lack of Bug Bounty Program Criticized',
'Dismissal of Collaborator Over '
'Security Concerns'],
'data_compromised': ['Employee Emails (Including Executives)',
'Job Applicant PII (64 Million Records)',
'Internal Brand Assets (Design Hub)',
'Access Requests (Algolia Indexes)',
'Internal Documents (Stravito)',
'Order Data (CosMc’s App)'],
'identity_theft_risk': ['High (64 Million Job Applicants’ PII '
'Exposed)',
'Employee Data (Emails, Access Requests)'],
'operational_impact': ['Temporary Disruption in Design Hub '
'(Unauthorized Access)',
"GRS Panel Defacement ('You’ve been "
"Shreked')",
'Potential Abuse of Impersonation Feature',
'Exposure of Internal Communications and '
'Documents'],
'systems_affected': ['McDonald’s Mobile App (Reward Points)',
'Design Hub (Brand Assets Platform)',
'Employee Portals (TRT Tool)',
'Global Restaurant Standards (GRS) Panel',
'Stravito (Internal Document Access)',
'CosMc’s Experimental Restaurant App',
'AI-Powered Hiring System']},
'investigation_status': 'Partially Resolved (Some Vulnerabilities May '
'Persist)',
'lessons_learned': ['Lack of a Bug Bounty Program Hinders Ethical Disclosures',
'Delayed or Dismissive Responses to Researchers Worsen '
'Risks',
'Client-Side Validation is Insufficient for '
'Security-Critical Functions',
'Plaintext Password Transmission is Unacceptable in 2025',
'Unauthenticated API Endpoints Pose Severe Risks',
'Misconfigured Access Controls Can Lead to Large-Scale '
'Data Exposure',
'Internal Tools Require Strict Authentication and '
'Authorization',
'Public-Facing Systems Must Undergo Regular Security '
'Audits'],
'motivation': ['Ethical Disclosure',
'Security Awareness',
'Responsible Vulnerability Reporting'],
'post_incident_analysis': {'corrective_actions': ['Implemented Proper '
'Authentication for Design '
'Hub',
'Rotated Exposed API Keys '
'(Magicbell, Algolia)',
'Secured GRS Panel Admin '
'Functions',
'Fixed AI Hiring System '
'Authentication',
'Restricted Stravito Access',
'Patched Mobile App Reward '
'Validation',
'Removed or Secured '
'Impersonation Feature '
'(Assumed)'],
'root_causes': ['Lack of Secure Coding Practices '
'(Client-Side Validation)',
'Inadequate Authentication '
'Mechanisms (Design Hub, GRS '
'Panel)',
'Poor Incident Response '
'Coordination',
'Absence of a Structured '
'Vulnerability Disclosure Process',
'Over-Permissive Access Controls '
'(Stravito, TRT Tool)',
'Use of Default/Weak Credentials '
'(AI Hiring System)',
'Delayed Patching and '
'Remediation']},
'recommendations': ['Establish a Formal Bug Bounty Program',
'Create a Dedicated Security Contact (security.txt)',
'Implement Multi-Factor Authentication (MFA) for Internal '
'Systems',
'Conduct Regular Third-Party Security Audits',
'Enforce Least-Privilege Access Controls',
'Encrypt Sensitive Data in Transit and at Rest',
'Monitor and Rotate API Keys Regularly',
'Train Employees on Secure Coding and Incident Reporting',
'Adopt a Proactive Vulnerability Disclosure Policy'],
'references': [{'source': 'Original Incident Report (Hypothetical, Based on '
'Description)'}],
'response': {'communication_strategy': ['Cold-Calling Headquarters '
'(Researcher’s Effort)',
'Direct Contact with Security '
'Employees via LinkedIn',
'Public Disclosure (Post-Incident)'],
'containment_measures': ['Patching Mobile App Reward Validation '
'(Client-Side)',
'Three-Month Overhaul of Design Hub '
'Logins',
'Rotation of Exposed Magicbell API Keys',
'Fixing Algolia Index Exposure',
'Addressing AI Hiring System '
'Authentication',
'Removing Impersonation Feature in TRT '
'Tool (Assumed)'],
'incident_response_plan_activated': 'Partial (Delayed and '
'Reactive)',
'remediation_measures': ['Implemented Proper Employee/Partner '
'Logins (Design Hub)',
'Disabled Open Registration Endpoint '
'(Partially)',
'Stopped Plaintext Password '
'Transmission (Design Hub)',
'Secured GRS Panel Admin Functions',
'Restricted Stravito Access for '
'Low-Level Staff']},
'threat_actor': 'BobDaHacker (Ethical Security Researcher)',
'title': 'McDonald’s Digital Infrastructure Vulnerabilities and Data Exposure',
'type': ['Data Exposure',
'Authentication Bypass',
'API Abuse',
'Privilege Escalation',
'Misconfiguration',
'Information Disclosure',
'Client-Side Exploitation'],
'vulnerability_exploited': ['Client-Side Reward Points Validation (Mobile '
'App)',
'Open Registration Endpoint (Design Hub)',
'Plaintext Password Transmission (Design Hub)',
'Exposed Magicbell API Keys and Secrets',
'Listable Algolia Search Indexes (PII Exposure)',
'Unauthenticated Access to TRT Tool (Employee '
'Data)',
'Impersonation Feature in Employee Portals',
'Unauthenticated Admin Functions (GRS Panel, HTML '
'Injection)',
'Misconfigured Stravito Access (Internal '
'Documents)',
'Weak Authentication in AI Hiring System '
"(Password '123456')",
'Arbitrary Order Data Injection (CosMc’s App)',
'Unlimited Coupon Redemptions (CosMc’s App)']}