In Germany, 3 investigators experts in cyber security and ethic hacking revealed a method to hack the app of McDonald’s; using some security holes and vulnerabilities, the investigators used the app to order food for free.
The ethic hacking team is formed by David Albert, Lenny Bakkalian and Mats Tesch, who say that they discovered a pair of vulnerabilities in the order section of the app, where they managed to generate cupons to reply polls. The vicepresident of McDonald’s Germany mentioned that the errors were reported to the brand and they should have been already corrected.
In their report, the hackers mentioned that the vulnerabilities were discovered last November while they were doing a research on the polls’ website of McDonald’s. Thanks to an error in the platform, the hackers designed a program to authomize the replies of the polls, generating an almost unlimited amount of coupons.
The investigation didn’t end there. The investigators reported the discovery of another security error in the code of the app, specifically in the coupon generating function, which was abused to generate coupons arbitrarily. The ethical hacking team tested these errors on a branch office of McDonald’s in Hamburg with a previous permission from the staff. In a short amount of time, the hackers managed to generate 15 orders valued in more than 100 euros.
According to the International Institute of Cyber Security(IICS), the investigators concreted the hacking manipulating the data packages through their own proxy server, which allowed them to modify the orders in the app to leave the amount on 0. Though the IT teams of McDonald’s delayed the repairs for more than 2 weeks, the errors have already been repaired, although some new method could be revealed in the future.
This type of errors have been found in similar platforms, mainly in food delivery apps(Rappi, Deliveroo, etc.) and other services. Specialists consider that this is because the developers use code libraries almost the same as a base for the apps, which makes the same error to appear and be exploited in more platforms.