A trivial mistake in the McDonald’s app led an independent researcher to uncover a chain of major flaws across the fast-food giant’s digital infrastructure.
In August 2025, a passionate hacker known as BobDaHacker revealed alarming vulnerabilities in McDonald’s digital ecosystem. Starting with a simple glitch in the mobile app’s loyalty points system, he uncovered deeper weaknesses ranging from plaintext password delivery to authentication flaws in internal portals. His findings highlight not only technical shortcomings but also the absence of a clear framework for responsible disclosure. What began as a story about free nuggets exposed cybersecurity failures at a global corporation with billions in revenue. The case shows how lack of preparedness can leave the door wide open to far more destructive attacks.
From Loyalty Bug to Internal System Access
The starting point looked like a joke: exploiting a flaw in McDonald’s loyalty program to score free nuggets. On August 17, 2025, BobDaHacker released a detailed report showing how the mobile app validated bonus points only on the client side. By intercepting and tweaking traffic, users could order food without having the required points. A textbook error, easy to fix.
But the story didn’t end there. The lack of a serious response from McDonald’s engineers pushed the researcher to dig deeper. Soon, he realized this wasn’t just one isolated flaw—the entire security logic of McDonald’s showed cracks.
One striking example was the Feel-Good Design Hub portal, used by marketing teams in 120 countries. At first, access was “protected” by a single client-side password—already an outdated practice. When McDonald’s introduced a new authentication, it came with another glaring weakness: simply replacing “login” with “register” in the URL bypassed the barrier and granted fraudulent access.
Things got worse when he discovered that credentials generated by the site were sent in plaintext by email. For a global company, relying on practices abandoned long ago in cybersecurity is a serious red flag.
Exposed Keys and Personal Data in Plain Sight
While examining scripts tied to the marketing portal, BobDaHacker found exposed Magicbell API keys. These could be abused to send fake messages on behalf of McDonald’s infrastructure, paving the way for massive phishing campaigns.
Search indices from Algolia, also left wide open, contained sensitive personal data: names, email addresses, and records of access requests to internal systems. In other words, any moderately skilled attacker could map McDonald’s internal organization and stage targeted attacks.
The researcher also revealed that several internal portals let ordinary accounts bypass hierarchy levels. The TRT service, meant to help identify employees, exposed their personal addresses and allowed an “impersonation” function to masquerade as other users. This kind of flaw is a direct invitation to industrial espionage.
Even the GRS system for franchisees was vulnerable. Without authentication, attackers could alter the interface and access sensitive admin functions. The principle of segmentation—basic in cybersecurity—was nearly absent.
CosMc’s, Reporting Obstacles, and Governance Flaws
The investigation extended to McDonald’s experimental CosMc’s project, the company’s innovation showcase. Again, a basic issue: promo codes for new customers could be used without limit. More serious, BobDaHacker managed to inject arbitrary data into orders, gaining leverage over operational processes.
Reporting these discoveries was harder than finding them. The “security.txt” file, once listing an official reporting channel, had been deleted. The researcher resorted to calling headquarters and reaching out to employees on LinkedIn. Only after repeated follow-ups did he manage to get his report to the right team.
This delay underscored a major problem: McDonald’s has no bug bounty program and no transparent responsible disclosure process. Without a dedicated channel, independent researchers run into walls, discouraging cooperation and increasing the risk of malicious exploitation.
The episode also had human costs. A friend of BobDaHacker, whose account was used in demonstrations, lost his job. This illustrates the gap between the need for stronger security and the company’s treatment of technical whistleblowers.
Behind a lighthearted quest for free nuggets lies a sharp lesson: even a global giant can miss basic cybersecurity essentials. Despite billions in revenue and presence in 120 countries, McDonald’s has failed to create a clear channel with researchers or implement robust defenses. The bigger question remains: how many other corporations of similar size are carrying invisible flaws, waiting to be exploited by actors far less ethical? [ZATAZ News English version]
