A researcher known as BobDaHacker uncovered a series of vulnerabilities across McDonald’s digital platforms, ranging from free food exploits to exposed internal systems and employee data.
It began with a flaw in the mobile app that let users redeem rewards without enough points. Reporting efforts were initially dismissed, but the bug was quietly patched. Deeper investigation revealed weak protections in the Design Hub, allowing unauthorized account creation and exposing sensitive brand assets. Passwords were even emailed in plain text.
Other issues included exposed API keys, searchable personal data, and employee portals that allowed access to executive emails and impersonation features. The Global Restaurant Standards panel lacked proper authentication, enabling public HTML injection.
Additional flaws were found in internal tools and CosMc’s experimental app, including unlimited coupon use. Most alarming was a hiring system vulnerability that exposed data of 64 million applicants due to a weak password.
While McDonald’s addressed many of the issues, some remain unresolved. The researcher urges the company to adopt a bug bounty program and provide clear security contacts to prevent future breaches.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
