McDonald's not lovin' it when hacker exposes nuggets of rotten security A white-hat hacker has discovered a series of critical flaws in McDonald's staff and partner portals that allowed anyone to order free food online, get admin rights to the burger slinger's marketing materials, and could allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing. The …
I recently received a physical catalog from a company filled with grammatical errors (the catalog, not the company). Elementary proofreading would have caught them. In all other respects it had high production values: heavy paper, glossy photos, nice diagrams.
I had to wonder if their products, nice as they were, also lacked attention to detail in some critical area. Or if they used shameless algorithmic liars like ChatGPT in running their business.
"Elementary proofreading would have caught them"
And it's amazing what still skips through. I've just finished our annual report. It's been checked, amended, edited and signed off by a cast of thousands across several months, I've had multiple people proof read it, I've used available tools (I did try AI, it was useless), I've even read it carefully in reverse, it's been read through by our legal team, by our design agency, and STILL there's the odd thing I groan at.
People talk of proof reading as though it's quick and simple, when it isn't. Just as creating a good index to a cookbook or technical volume is a skill rarer than unicorn-breeding.
Boy, tell me about it.
I've been responsible for some howlers, myself.
To The Register's credit, they're usually very quick about fixing errors. I've had some very nice interactions with the duty editors and they're always polite and grateful.
My only criticism is that the corrections email address takes a bit more effort than it should to find.
Pictures too. Many years back my employer got the ok to use one project we had done for a major oil company in our publicity. We asked for and got a few nice control room photos, with operators er operating.
All the artwork had been done and we were set to go to press. Then someone pointed out that one of the operators was sitting there with his flyhole very obviously wide open.
A different photo was used.
All almost too. However, I really enjoyed the article and am too drunk to work out how to send a correction. Having spent the day despairing at pen test reports pre production I'm pleased to know that there really are people out there that don't think testing before production is normal. I thought not thinking about it before implementing was bad....
"Hamburgler"
As a youth decades ago our esteem for that franchise meant that this felon was always for us the "Turdburgler."
"The burgers are better at Hungry Jack's " ... They were too, I recall.
I recall over 10 years ago, on this very site, stories of a food chain whose IT lacked security to the extent that staff who had left their employment over 4 months previously still had valid log on credentials and could order free food for themselves and gift tokens for others. It was not McDonald's, but some other chain. There were even articles about a major data breach of employee details in the 'mainstream' news media at the time.
Nice to know some things never change ...
The dill pickle ?
The security gherkin that Bobdahacker had been jerkin' ?
This whole sorry saga is pretty indicative of their dismal security practices but given the standard of their products, not incomprehensible.
Personally if were Bobdahacker I would be very wary in future as others have discovered Big Mac when crossed can be extremely vindictive (recall MacLibel?)
I shouldn't be surprised in the least if the Golden Arches had retained investigators to identify both Bobdahacker and her subsequently fired friend.
Happens everywhere.
https://www.theregister.com/security.txt says:
Contact: mailto:security@theregister.com
Expires: 2022-12-31T22:59:00.000Z
Preferred-Languages: en
And it should be in a different location as well according to RFC9116:
https://www.example.com/.well-known/security.txt
From the RFC:
For web-based services, organizations MUST place the "security.txt" file under the "/.well-known/" path, e.g., https://example.com/.well-known/security.txt as per [RFC8615] of a domain name or IP address. For legacy compatibility, a "security.txt" file might be placed at the top-level path or redirect (as per Section 6.4 of [RFC7231]) to the "security.txt" file under the "/.well-known/" path. If a "security.txt" file is present in both locations, the one in the "/.well-known/" path MUST be used.
Given the impossible to argue with commercial success with marketing and customer relations of the core business. responding to customer trends handling complaints...
It seems that that is for the test kitchens and restaurant crew. McDonalds not only failed to provide the expected security.txt but in the process of contacting the security engineer the researcher was forced to cold call HQ. Forget a bug bounty they barely talked to the researcher at all she had to find the security team on linked in. Then the fixes were incomplete.
Come on McDonalds you're a Fortune 100 Global firm and its 2025.
At first I thought that Ray must be spinning in his grave. And these words are probably coming out of his mouth: "Come on McDonalds you're a Fortune 100 Global firm and its 2025."
However, I've read recently that McDonalds makes more cash from other enterprises than flippin burgers, and I doubt those other enterprises could be accessed via a food app? I guess it's a matter of perspective. Spend less on one of our lesser generating concerns... besides it's only customer's data at risk, we have a fund (generating nice interest too, instead of paying for a lot of IT people that can do it right) to cover any eventual payouts should there be any. SOP @ BigCorp.
I'm happy to say I've not eaten McDonalds since the summer of 2021, and surely didn't use their app.
Yes, quite a few of the $Big_Names almost seem to be running a "stealth" business behind the shiny pizazz of the "main stream marketing". Quite a few make significantly more sums because as they grew, they bought their locations and whether they still operate from those locations or not, are raking it in as landlords and/or property developers.
"However, I've read recently that McDonalds makes more cash from other enterprises than flippin burgers"
McDonalds is a real estate holding company. Franchises lease a building and the land it's sat on from the McDonalds corporation to dispense a simulacrum of food to unsuspecting victims. The food myth is a way to convince investors to sign those long-term leases.
This is not to say that they can ignore issues with their menu and backend services. Those things need to be in place for the franchisees to be able to make money and keep up on those lease payments, continue to purchase food from McD food suppliers that source raw ingredients from McD farms. (Excuse me for condensing the shell-company bingo down for easier story telling). Not only do the franchisees need to make money, they need enough profits to expand to new locations. It's advantageous to McDs to have well-seasoned renters they know will make a good go of it.
Serious question for the technical people: was '123456' the default password on the equipment, with instruction for the new SysAdmin team to change on first log on, or did a McDonald's employee actually choose it?
I mean, I can just about understand Donald Trump, whose expertise is in real estate and not IT security, picking 'MAGA2020' as his Twitter password, since he could easily remember it and it made him feel good, but why would someone who should know what they are doing choose '123456' for an important password?
This post has been deleted by its author
Here's some food for thought..............
McDonalds corporation makes more money leasing facilities to franchises then they make off the crap they sell as food.
But, they do have an excellent equipment maintenance program where they go in every 6 months and rotate the entire kitchen out with rebuild/cleaned machines. Including the crap Taylor ice cream machines that break down if slightly overfilled.
I don't know shit about their IT but obviously it sucks like a vacuum pump!
Why wouldn't the online food ordering network be entirely separate from Corp? The article makes it sound, once again, like the company bought a Holmes IV and runs every task through it rather than having disparate functions handled by unique server setups It's not that hard to have one system send a report to another on a one way link. Even something like email could work for that. Files would be too big for email, but putting a person in the loop that gets the mail, vets it and then sends the data on up the chain to have in case anybody wants to do some analysis on it. Did some executive want to watch the online ordering network working in real time from their yacht via their corporate VPN?
Everyone knows you lock your front door that's why you put security on the client.
This "exposure" is NOTHING.
Take a look at their KIOSK machines, the finger operated flat screens, they seem to think cos it don't have a KB it's safe.
Problem with McDonald is , not only do they shoot the messenger , they also cut ur head off and stick it on the castle walls.
That's why I would not report exploits to them, been there done that...
Seems they were more interested in finding out who I was and trying to stitch me up.
someone needs sacking in that mickey mouse company....
"Burger slinger gets a McRibbing, reacts by firing staffer who helped"
What a depressingly modern American response - don't do anything about properly fixing the security issues; just sack the person responsible for bringing the security shortcomings to management attention.
Do the management really think that if nobody says anything out loud about a major problem, then that problem doesn't exist?
Cretins.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
