Hacking McDonald's for Free Food

This hack was possible because the McDonald’s app didn’t authenticate the server, and just did whatever the server told it to do:

McDonald’s receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month. One day, David happened to be checking out how the website’s coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a programme replicating the code, as if someone was taking the survey again and again.

[…]

At the McDonald’s in East Berlin, David began the demonstration by setting up an internet hotspot with his smartphone. Lenny connected with a second phone and a laptop, then turned the laptop into a proxy server connected to both phones. He opened the McDonald’s app and entered a voucher code generated by David’s programme. The next step was ordering the food for a total of €17. The bill on the app was transmitted to the laptop, which set all prices to zero through a programme created by Lenny, and sent the information back to the app. After tapping “Complete and pay 0.00 euros”, we simply received our pick-up number. It had worked.

The flaw was fixed late last year.

Tags: , ,

Posted on February 18, 2020 at 6:09 AM15 Comments

Comments

Wayne February 18, 2020 9:41 AM

Speaking of McD’s, apparently the HBO series on their Monopoly game that got hacked, McMillion$, is getting really good reviews and is quite popular. I haven’t gotten around to watching it yet.

Norio February 18, 2020 10:29 AM

Finally, a heartwarming hacker story! These kids weren’t doing it for the “food” (since it’s McDonald’s I need to put quotes around that word) or for a selfish motive.

la abeja February 18, 2020 12:14 PM

@ Wayne + Norio

Bunch of old Finns get together like that sometimes, act like they’re p!mps or m0b bosses or something like that, kick the kids out of the restaurant for lo!tering or tre5pa$$ing or something like that, berate the owner, “You know you have the right to refuse service to anyone! Why do let those punks eat here? We’ve got real estate deals going down!”

Truth us, the franchise owner is only watching his local cash register and doesn’t care about that IT or app stuff or online coupons. As long as he’s got his books covered, it’s not his responsibility.

Clive Robinson February 19, 2020 12:31 AM

@ Sed Contra,

Since it was a McDonald’s in Germany, hopefully they ordered beer.

But only with the breakfast orders 😉

But it raises a thought, does the bread McDonald’s use “Pass the purity laws?”

Sam February 19, 2020 5:27 PM

I don’t know why you even need to bother. I saw the instructions for a major US fast food chain’s free-food-for-survey coupons, and it was simply matching the first three digits of the code with a code corresponding to the month. You just needed to write down the same prefix followed by random digits for an infinite number of coupons, assuming the cashier even bothered to pull out the list to validate them.

However, the policy was simply max one coupon per visit, making this much less attractive to exploit.

Hong Ming February 19, 2020 6:30 PM

In Singapore’s Pizza Hut, they used to allow you to claim a free pizza if you fill in the survey code on the previous receipt. Claiming the free pizza gives you another receipt which you could fill in the survey code (again) to claim another free pizza. Sadly, they quickly discovered this loophole and you could only claim the free pizza with a valid purchase – which could just be a can of pepsi.

vas pup February 20, 2020 4:12 PM

Data breach hits agency overseeing White House communications:
https://www.bbc.com/news/technology-51580925

“The US agency in charge of secure communication for the White House has been the victim of a cyber-attack.

The US Department of Defence confirmed that computer systems controlled by the Defence Information Systems Agency (DISA) had been hacked, exposing the personal data of about 200,000 people.

The agency oversees military communications including calls for US President Donald Trump.

The data exposed included names and social security numbers.

The agency is responsible for the military cyber-security and it sets up communications networks in combat zones.

On its website, DISA says its vision is “to be the trusted provider to connect and protect the war fighter in cyber-space.”

Clive Robinson February 21, 2020 7:33 AM

@ SpaceLifeForm, Rachel, Sed Contra,

Atleast two bricks have been kicked out of the wall.

Sed Contra February 21, 2020 8:27 AM

@ Clive Robinson, et al

I gladly submit to the wisdom of the Moderator though it exceed my understanding

Jesse Thompson February 21, 2020 12:42 PM

@la abeja

Truth us, the franchise owner is only watching his local cash register and doesn’t care about that IT or app stuff or online coupons. As long as he’s got his books covered, it’s not his responsibility.

Well, if you owned the McDonald’s restaurant in question, and if miscreant hacks the app and picks up the food at your store, then you’d rely on the payment coming from corporate to balance your books and it would never be tendered, would it?

Your staff made the food and you paid to get the ingredients and paid the staff, so you’ve got to make that money back.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.