Ethical hacker Bobdahacker determined several coding flaws.
Multiple McDonald's online portals were discovered to have been plagued by a plethora of security vulnerabilities.
Ethical hacker Bobdahacker determined that McDonald's Feel-Good Design Hub - which serves as the firm's global marketing and promotional material repository - had a viewable MagicBell API key and authentication secret that could be exploited for further compromise.
They also identified an issue within the site's Algolia search-as-a-service tool, and that a lack of server-side checking on the fast food chain's online delivery app enabled free food orders, reports The Register.
Also, OAuth misconfigurations could enable lower-level employees to access McDonald's executive portals, while lacking admin authorisation in the company's Global Restaurant Standards portal for franchisees could allow anyone to edit the site's content.
While almost all of the issues have already been addressed, Bobdahacker noted that reporting the issues has been troublesome due to McDonald's lack of a valid security.txt file.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
