It’s been a tough month for McDonalds following after their AI powered hiring platform was the centre of attention once researchers found that they were able abuse the platform and make API calls to retrieve actual applicant data.
The researcher, BobDaHacker, started by probing at the mobile application. Initially finding that he was able to claim free nuggets as the validation was done client side as to whether they had the points to claim free food.
Further probing allowed the researcher to access brand asset portal, as this also used a client side password for access.
It appears that the researcher who was investigating this was able to find significant data on employees as well, including executives. The researcher made McDonalds aware of the vulnerability but following a 3 month overhaul by McDonalds it was found that the weakness was still there by changing the URL from */login to */register.
See the full article here:
https://cybersecuritynews.com/mcdonalds-free-nuggets-hack/
