From Nuggets to Breaches: A Hacker Exposes Critical Flaws in McDonald’s Systems
The story of an enthusiast hacker breaching McDonald’s digital infrastructure in pursuit of free chicken nuggets has spiraled into a sweeping security investigation, exposing dozens of critical vulnerabilities within the corporation’s systems. On August 17, 2025, a user known as BobDaHacker published a detailed report, meticulously outlining how a trivial flaw in the company’s rewards application led him to uncover far more serious weaknesses.
The first vulnerability was strikingly primitive: the mobile app failed to verify the number of reward points on the server side, relying solely on client-side validation. This meant that with minimal traffic modification, users could obtain food without having accumulated points. While BobDaHacker reported the flaw and assumed it had been patched, the apparent lack of serious attention from McDonald’s engineers spurred him to dig deeper.
His continued analysis led him to the Feel-Good Design Hub, an internal portal used by McDonald’s marketing teams across 120 countries. Alarmingly, the site was protected only by a client-side password—an outdated and ineffective safeguard. Even when proper authentication was eventually added, it too contained a loophole: simply replacing “login” with “register” in the URL opened a registration form.
Upon filling out the form, the system would send a plaintext password via email—a glaring violation of modern security standards. The portal contained video materials labeled as confidential, accessible to anyone who managed to exploit this crude registration bypass.
In the site’s scripts, BobDaHacker uncovered exposed Magicbell API keys, enabling the sending of fraudulent notifications as though from McDonald’s infrastructure—an ideal vector for phishing campaigns. He also discovered Algolia search indexes containing personal details of individuals who had requested internal access, including names, email addresses, and query histories.
Attention then shifted to McDonald’s corporate portals, where even low-level employee accounts could access resources intended for executives. For instance, the TRT service allowed lookups on any staff member by ID or name, exposing personal email addresses. It also contained an “impersonation” function that permitted data retrieval as other users. Similarly, within the GRS franchisee tool, BobDaHacker demonstrated the ability to alter interface elements without authentication—effectively granting full administrative control.
Even McDonald’s experimental restaurant project, CosMc’s, was poorly secured. A promotional code for new users could be redeemed without limit, and the researcher found ways to inject arbitrary data into orders, tampering with their processing.
Reporting these issues proved to be the greatest challenge. McDonald’s had once maintained a security.txt file listing a contact point for responsible disclosure but had since removed it. BobDaHacker was left to pursue attention through phone calls to headquarters and by searching for employees on LinkedIn. Only after persistent effort was he directed to the appropriate channel. Though most flaws were eventually patched, the process revealed McDonald’s lack of readiness to engage meaningfully with security researchers. Disturbingly, the friend whose account BobDaHacker used during testing lost his job in the fallout.
This saga underscores a sobering truth: even global giants with multimillion-dollar security budgets are not immune to fundamental failures—client-side validation, plaintext passwords, and unauthenticated administrative functions. To this day, McDonald’s lacks both a bug bounty program and a transparent, standardized channel for responsible disclosure. As a result, such vulnerabilities risk either remaining unaddressed or, worse, falling into the hands of far less ethical actors.
