McDonald's staff and partner portals server-side access-control flaws security flaw
Vulnerability
Summary
Hide ▲
Show ▼
McDonald's staff and partner portals were found to have server-side access-control and authentication flaws, creating risk of unauthorized corporate data access and website changes. The weaknesses affected the Feel-Good Design Hub and related systems used by partners in more than 120 countries. The exposed paths could leak API keys, raise user privileges, and let a user alter a franchise owner's website. McDonald's later fixed the hub, but the findings show the portals depended on flawed client-side and registration controls.
Timeline
-
20.08.2025 21:41 1 articles · 9mo ago
McDonald's staff and partner portal flaws disclosed
Initial DisclosureBobdaHacker disclosed access-control and authentication flaws across McDonald's Feel-Good Design Hub, Global Restaurant Standards, crew member system, and Stravito knowledge management platform. The issues exposed API keys, a plaintext password, internal corporate documents, executive email addresses, and administrator functions, and could be abused to list users, send official-looking notifications, or alter franchise-owner website content. McDonald's later fixed the reported problems, but the company still lacked a proper security reporting channel.
Show sources
- Side of Fries With That Bug? Hacker Finds Flaws in McDonald's Staff, Partner Hubs — www.darkreading.com — 20.08.2025 21:41