Overview

• Security researcher “Bobdahacker” first found McDonald’s delivery app checked reward points only on the client side, allowing free delivery orders.
• On the Feel‑Good Design Hub, switching a URL from “login” to “register” created accounts that received plaintext passwords, while exposed MagicBell keys and Algolia data revealed users and emails.
• Faulty OAuth allowed basic crew accounts to access executive portals, view internal documents, and search employee email addresses.
• The Global Restaurant Standards portal lacked admin authorization, enabling unauthorized edits to franchise guidance, and a CosMc’s promo coupon was easily reset and rewritten.
• McDonald’s has addressed most reported issues after responsible disclosure, yet no security.txt is available and some registration protections remain incomplete, echoing broader risks highlighted by a recent Paradox.ai job‑bot breach using the password 123456.