McDonald’s mobile app was hacked; it allowed free burgers and fries

In Germany, three expert researchers in information security and ethical hacking revealed a method to hack the McDonald’s mobile app; using some security loopholes and vulnerabilities, the researchers used the app to send multiple orders for free.

The ethical hacking team consists of David Albert, Lenny Bakkalian and Mats Tesch, who claim to have discovered a couple of vulnerabilities in the orders section of the fast food chain’s mobile app, which they managed to exploit to generate coupons just by answering surveys. The vice president of McDonald’s Germany mentions that the flaws were reported to the chain and must have already been corrected.

In their report, hackers mention that the vulnerabilities were discovered last November while conducting an investigation on the McDonald’s survey website. Thanks to a flaw in this platform, hackers designed a program to automate survey responses, generating an almost unlimited number of coupons.

The investigation did not end there, as the researchers reported the detection of another security flaw in the app code, specifically in the coupon generation feature, which was abused to generate coupons arbitrarily. The ethical hacking team tested these flaws at a McDonald’s branch in Hamburg with the prior consent of the staff. In a short period of time, hackers managed to generate 15 orders worth over €100.

According to the International Institute of Cyber Security (IICS), the researchers concreted the hack by manipulating the data packets through their own proxy server, which allowed them to modify the orders in the app to leave the final amount at zero. Although McDonald’s IT teams took more than two weeks, the flaws have already been corrected, although some new method could be revealed in the future.

These kinds of errors have been presented on similar platforms, mainly food delivery apps (Rappi, Deliveroo, etc.) and other services. Specialists believe this is because developers use virtually equal code libraries as the basis of apps, making the same vulnerability exploitable on more than one platform.