In Germany, three expert researchers in information security and ethical hacking revealed a method to hack the McDonald’s mobile app; using some security loopholes and vulnerabilities, the researchers used the app to send multiple orders for free.
The ethical hacking team consists of David Albert, Lenny Bakkalian and Mats Tesch, who claim to have discovered a couple of vulnerabilities in the orders section of the fast food chain’s mobile app, which they managed to exploit to generate coupons just by answering surveys. The vice president of McDonald’s Germany mentions that the flaws were reported to the chain and must have already been corrected.
In their report, hackers mention that the vulnerabilities were discovered last November while conducting an investigation on the McDonald’s survey website. Thanks to a flaw in this platform, hackers designed a program to automate survey responses, generating an almost unlimited number of coupons.
The investigation did not end there, as the researchers reported the detection of another security flaw in the app code, specifically in the coupon generation feature, which was abused to generate coupons arbitrarily. The ethical hacking team tested these flaws at a McDonald’s branch in Hamburg with the prior consent of the staff. In a short period of time, hackers managed to generate 15 orders worth over €100.
According to the International Institute of Cyber Security (IICS), the researchers concreted the hack by manipulating the data packets through their own proxy server, which allowed them to modify the orders in the app to leave the final amount at zero. Although McDonald’s IT teams took more than two weeks, the flaws have already been corrected, although some new method could be revealed in the future.
These kinds of errors have been presented on similar platforms, mainly food delivery apps (Rappi, Deliveroo, etc.) and other services. Specialists believe this is because developers use virtually equal code libraries as the basis of apps, making the same vulnerability exploitable on more than one platform.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.