Security analyst stirred by the allure of free nuggets uncovers a security lapse at McDonald's - altering the 'login' to 'register' in the URL triggers the site to disclose a clear text password for a new account creation process.

Security analyst stirred by the allure of free nuggets uncovers a security lapse at McDonald's - altering the 'login' to 'register' in the URL triggers the site to disclose a clear text password for a new account creation process.

In a series of events that highlight the importance of robust cybersecurity measures, security researcher BobDaHacker gained unauthorized access to McDonald's "McDonald's Feel-Good Design Hub," a platform holding proprietary marketing information.

The "McDonald's Feel-Good Design Hub" was previously protected by a client-side password, but BobDaHacker discovered a vulnerability that allowed him to create a new account, accessing the platform's resources. He reported this security issue to McDonald's by calling their headquarters and dropping random security employee names he found on LinkedIn.

The platform also offered a service that could be used to search for any McDonald's employee globally and see their email address. McDonald's HQ hotline connected callers to employees based on the name provided, allowing BobDaHacker to eventually reach someone important enough to report the issues.

It appears that McDonald's has addressed most of the disclosed vulnerabilities, but the process of reporting these issues was less than straightforward. A search for a security.txt file on McDonald's website and a search for "McDonald's security disclosure" returns no relevant results, suggesting that McDonald's has not established a proper security reporting channel.

Moreover, McDonald's took three months to implement a proper account system with different login paths for employees and external partners. In a different incident, a platform with access to private information at McDonald's was secured with the password "123456," underscoring the need for stronger password policies.

Notably, BobDaHacker reported that McDonald's sent the password associated with a new account in plain-text, a practice that is generally considered insecure. Changing 'login' to 'register' in the URL of the "McDonald's Feel-Good Design Hub" allowed BobDaHacker to create a new account that could access the platform.

Interestingly, McDonald's let go of a friend of Bob's who assisted in investigating some of the vulnerabilities. This incident, combined with the difficulties in the reporting process, might discourage other researchers from disclosing vulnerabilities at McDonald's in the future.

In conclusion, while McDonald's appears to be making efforts to address the identified vulnerabilities, the company could significantly improve its cybersecurity practices by establishing a clear and accessible security reporting channel, implementing stronger password policies, and ensuring that fixes are not easily bypassed.

Read also:

• Oxidative Stress in Sperm Abnormalities: Impact of Reactive Oxygen Species (ROS) on Sperm Harm
• Is it possible to receive the hepatitis B vaccine more than once?
• Transgender Individuals and Menopause: A Question of Occurrence?
• Genetically manipulated rabbits sprout ominous black horns on their heads