🍔 Found huge security flaws in McDonald's - crew members could access sites reserved for corporate employees with internal functions, API keys exposed, and more. Had to call their HQ and pretend to know people just to report it 🤦
Technical details:
- Design Hub: Used to be client sided password, Registration endpoint exists and works even tho they dont want signups
- TRT portal: Crew accounts could enumerate/impersonate all employees from general manager to CEO
- GRS panel: Complete authentication bypass, arbitrary HTML injection
- Magicbell API keys/secrets exposed in client-side JS
- Algolia indexes listable with user PII
- CosMc's: Server-side validation missing for coupon redemption
They fixed it but fired my friend who helped find the OAuth vulnerabilities.
Full Technical Writeup: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities
#infosec #bugbountry #responsibledisclosure #security #cybersecurity #hacking #vulnerability