McDonald’s mobile app was hacked; it allowed free burgers and fries

In Germany, three expert researchers in information security and ethical hacking revealed a method to hack the McDonald’s mobile app; using some security loopholes and vulnerabilities, the researchers used the app to send multiple orders for free.

The ethical hacking team consists of David
Albert, Lenny Bakkalian and Mats Tesch, who claim to have discovered a couple
of vulnerabilities in the orders section of the fast food chain’s mobile app,
which they managed to exploit to generate coupons just by answering surveys.
The vice president of McDonald’s Germany mentions that the flaws were reported
to the chain and must have already been corrected.

In their report, hackers mention that the
vulnerabilities were discovered last November while conducting an investigation
on the McDonald’s survey website. Thanks to a flaw in this platform, hackers
designed a program to automate survey responses, generating an almost unlimited
number of coupons.

The investigation did not end there, as the
researchers reported the detection of another security flaw in the app code,
specifically in the coupon generation feature, which was abused to generate
coupons arbitrarily. The ethical hacking team tested these flaws at a
McDonald’s branch in Hamburg with the prior consent of the staff. In a short
period of time, hackers managed to generate 15 orders worth over €100.

According to the International Institute of
Cyber Security (IICS), the researchers concreted the hack by manipulating the
data packets through their own proxy server, which allowed them to modify the
orders in the app to leave the final amount at zero. Although McDonald’s IT
teams took more than two weeks, the flaws have already been corrected, although
some new method could be revealed in the future.

These kinds of errors have been presented on
similar platforms, mainly food delivery apps (Rappi, Deliveroo,
etc.) and other services. Specialists believe this is because developers use
virtually equal code libraries as the basis of apps, making the same
vulnerability exploitable on more than one platform.

You Might Also Like