Free Nuggets, Big Breach: How a Hacker Turned a McDonald’s Glitch Into a Corporate Security Wake-Up Call

Red Dog Security

2 min read
Free Nuggets, Big Breach: How a Hacker Turned a McDonald’s Glitch Into a Corporate Security Wake-Up Call

What began as a stunt to score free nuggets ended in a full-scale security investigation that exposed dozens of vulnerabilities in McDonald’s digital infrastructure.

On August 17, 2025, a user going by the nickname BobDaHacker published a detailed step-by-step report describing how a trivial error in the fast-food giant’s rewards application revealed far more serious problems within its systems.

From Free Food to Systemic Flaws

The first breach was almost laughably simple: the mobile app failed to validate bonus points on the server side, relying solely on client-side checks. With minor traffic manipulation, anyone could claim food without actually earning points.

After reporting the bug, BobDaHacker noticed the issue was patched, but the lack of serious engagement from McDonald’s engineers encouraged him to dig deeper.

Marketing Portal Wide Open

His next discovery was the Feel-Good Design Hub, an internal portal used by McDonald’s marketing teams across 120 countries. Initially, the site was protected only by a hard-coded client-side password—an outdated and ineffective practice.

Even after McDonald’s added an authorization system, it remained dangerously flawed. By swapping the word “login” with “register” in the URL, BobDaHacker gained access to a registration form. Completing it triggered the system to send passwords in plain text via unencrypted email—a critical violation of modern security standards.

Inside, he found materials marked confidential, including videos and other sensitive content, all accessible to anyone who slipped through this loophole.

Keys to Phishing Attacks

The portal’s scripts exposed Magicbell API keys, which could be abused to send fake notifications impersonating McDonald’s infrastructure—a perfect setup for phishing campaigns.

He also found Algolia search indexes containing personal data of individuals who had requested access to McDonald’s internal systems. These records included names, emails, and request histories, essentially handing attackers a list of corporate targets.

Corporate Tools Compromised

Several internal services were equally vulnerable:

  • TRT service: Allowed lookups of any employee by ID or name, exposing personal email addresses. An “impersonation” feature further enabled data extraction while masquerading as other users.
  • GRS franchisee tool: Contained flaws that let BobDaHacker alter interface elements without authorization, effectively giving him administrative-level control.
  • CosMc’s experimental restaurant project: Promo codes could be reused indefinitely, while injection flaws in the order system allowed arbitrary data insertion into live orders.

Reporting Roadblocks

Despite the scale of the findings, reporting them was no easy task. McDonald’s had once maintained a security.txt file with disclosure contacts, but it had been removed. Desperate, BobDaHacker resorted to cold-calling the company’s headquarters and reaching out to employees via LinkedIn.

Only after repeated attempts was he directed to the right person. While many vulnerabilities were eventually patched, the reporting process highlighted McDonald’s lack of readiness to engage constructively with independent researchers. Adding insult to injury, BobDaHacker’s friend—whose account he had used for testing—was fired.

A Wake-Up Call for McDonald’s

The incident underscores how even corporations with billion-dollar budgets can overlook basic safeguards:

  • Server-side validation ignored
  • Plain-text passwords sent via email
  • Exposed API keys and search indexes
  • Admin-level functions left unauthenticated

As of today, McDonald’s still lacks a bug bounty program or a transparent channel for responsible disclosure. That means future vulnerabilities may either remain unpatched or fall into the hands of hackers far less ethical than BobDaHacker.

Read more