some of the worst API security i've EVER seen

$240 in giftcards is an absolutely pathetic payout for the value he provided with his tests regardless of where the tester lives.

zaibachien

For any org especially of the size of McDonald's India, $240 is nothing. Even by Indian standard he should have been awarded at least$2K+. It could have cost them upwords of $5K+ dollars to get a security report even from an Indian company (decent one). And probably they would have run this report at least 3-4 times before extracting all faults.

dextroz

Author/researcher here 👋

Thanks for covering - really enjoyed your commentary!

EatonZveare

Hack McDonald's API to steal users' credentials: ❌️
Hack McDonald's API to get free meals: ✅️

yassine-sa

I once speculatively "hacked" a CMS that I'd never come across before by simply changing the user id to zero in a form and magically gained uber admin rights. When you have nothing better to do than "I wonder if..."

simaesthesia

Mc Donald Bug Bounty Reward Section says : "The reward for a valid bug will be Rs. 2, 500/- in the form of coupons (applicable only in McDonald’s India)"- That's 31 USD of coupons valid only in India. The fact that he got 250 USD was probably because he exposed multiple area like SQL injection, api vulnerabilities, session flaws etc. Still not worth it unless you are some college grad trying to build your resume'

Little-bird-told-me

I'm a school office lady by profession. I taught myself JavaScript to I could build webscrapers to do my data entry work for me. That "just change the 'disabled' property of the submit button" trick works so much more often than it should.

maotseovich

You didn't mention the ultimate in white-hat-hacking: He got approval from the target to publish the article!

WilliamHostman

This guy just saved McDonalds from losing millions of dollar and they gave him $250 gift card wow.

kgamerplays

not surprised the mcdonalds API and services are full of holes

Back in 2017-2018, it was easy to essentially get infinite 1€ cheese burgers through just sending requests to the API endpoint that gave out cupoun codes for giving feedback

chadyways

The $240 gift card is absolutely ridiculous when you consider the high potentials for monetary and privacy abuse.
What a disgrace to the bug bounty program.

djbremsespor

You have to do both authentication AND authorization.

davidmorton

They do have the doordash equivalents, swiggy and zomato which went public. But you get discounts on the McDelivery app so it's popular for restaurants to have separate apps too for discounts and community stuff. That's why having those restaurant apps are useful when you specifically want their food and get a discount. Example KFC or Dominoes.

rohitrmohanty

Came for the API security, stayed to get shamed over my Mc. D's ordering habits.

FeckOffTeaCup

The fact that I am watching this first thing on a Saturday should show my love for this channel.

sambhatia

getting paid more for reacting to it than discovering it is crazy

brodie

Dude I used the McDonalds app the other day, and with how terrible it is, I was thinking "if they're this bad at front end, imagine how their back end is"

chipredacted

"People in India are fairly healthy" - loll nope, very high rates of obesity and diabetes in India these days :-(

smartperson

"It's interesting McDonald's India takes security more seriously." Yeah sure, very very seriously.😂

artemus

15:00 thats why web developers should practice postman-first development. Dont trust the UI, base everything on the requests themselves

_Aarius_