McDonald's promotions systems flaw could provide access to free burgers

German software developers discovered a software vulnerability within the McDonald's promotions system

McDonald's promotions systems flaw allows ordering food - for absolutely free

Software developers Lenny Bakkalian and David Albert discovered a new way to order fast food – and it does not require any funds. As it turned out, systems that were used by McDonald's to apply free vouchers in Germany were affected by a software vulnerability that allowed them to order endless amount of hamburgers, or any other items on the menu, absolutely for free.^[1]

As reported by Vice,^[2] the two researchers first discovered the flaw within the McDonald's promotions systems in November 2019 after they checked the coding for the website that allowed people to complete a short survey, which awarded them with a free beverage voucher, redeemable within a month. David soon noticed an interesting bug:

One day, David happened to be checking out how the website's coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a programme replicating the code, as if someone was taking the survey again and again.

The discovery prompted developers to research further, and they soon discovered another flaw that would allow them to order food instead.

Developers began to experiment – an order for €17 was a success

Software vulnerabilities^[3] are often used for malicious purposes, such as stealing funds or sensitive information from companies or individuals.^[4] As it turns out, the flaw at the German McDonald's, while not critical, might still be abused by malicious actors.

After discovering the first bug within the system and developing a working coupon generator, developers only needed another five hours to proceed further, and their equipment consisted of two mobile phones, McDonald's app, and a laptop that was set as a proxy server.

After successfully setting up the setup, they ordered food for €17 and used the generator to transmit the order via the app. The total price on the app was €0.00, and all they have to do is press “Complete the order,” and go pick up the order by using a provided redemption code.

Upon arrival, they informed the restaurant manager about the situation and wanted to pay for the food they ordered, but the manager refused the money. In another case in Hamburg, they ordered 15 hamburgers, although after informing the staff this time, the order was canceled before it was complete. This time, the management told the developers that it will look into the system bug, although it was still there two weeks later – still unfixed, and they could proceed to order food for free with the help of the generator.

The vulnerability finally fixed

Because the flaw was ignored, the developers could have simply keep using the generator for an endless McDonald's food supply if they would have wanted. However, they said that they tried to prevent cybercriminals from generating these free vouchers and selling them online for personal profit.

Initially, many huge companies run the bug bounty program,^[5] where security researchers and vulnerability hunters are rewarded for their findings, as such loopholes may cost companies millions of dollars in damages. As evident, the flaw within the German coupon system would not run McDonald's out of business, but its a flaw nevertheless, and it could be exploited.

Vice contacted the fast-food chain on behalf of researchers, as their efforts were unnoticed during their attempts. The spokesperson claimed that the discovered flaw could only be exploited with the in-depth programming knowledge, and the culprit would be liable for the prosecution; it was also claimed that the McDonald's app meets all the safety requirements.

Despite this, one of the researchers later confirmed that they did receive a reward from the fast-food restaurant chain and that the bug was fixed in mid-December 2019.