Two software developers in Germany discovered flaws in McDonald's system that allowed them to order unlimited free food. David Albert and Lenny Bakkalian created programs that take advantage of loopholes in the fast food chain's website and app to order online at no cost, removing snacks at the restaurant.
READ: ICQ and MSN: six messengers that everyone used
Hackers found the vulnerabilities in November 2019 and soon reported on the restaurant chain, which fixed the errors in mid-December 2019. However, the case came to the public only now, due to a report by VICE Germany.
Hackers discover flaw in McDonald's website that gave free snacks Photo: Divulgao / McDonald's
Want to buy cell phones, TV and other discounted products? Meet Compare TechTudo
The discovery started from the receipt issued by the German McDonald's. L, the invoice has a link to a search page at the end. Answering a survey, the customer receives a promotional code to redeem a small drink for free, which must be done within one month.
David Albert was analyzing the coding of the company's website and noticed the first loophole: the information that triggered the server to issue a new coupon was always the same. Thus, he could develop software that simply replicated the promotional code, simulating someone who was participating in the research several times.
See also: five curious delivery apps
Fuel and beer delivery: 5 curious delivery apps
This would give access to endless drinks, but not to hamburgers. "I played around with the coupon generator, and after about five hours, I discovered another vulnerability," said David VICE. This, indeed, opened the doors to free food. The scheme, more elaborate than that of the drink, was demonstrated live on the news. First David set up an Internet hotspot on his smartphone, and then Lenny Bakkalian connected with a second phone and a laptop. That done, Bakkalian transformed the notebook into a proxy server, maintaining the connection to the two cell phones.
In the second stage, Lenny opened the McDonald's app and inserted a promotional code generated by David's program. Then, he made the purchase process normally, placing the order in the cart, which gave 17 euros. At this point, the online invoice was transmitted to the laptop. A program created by Lenny reset all prices to zero and returned the information to the application. It was just press the button saying "Finish and pay 0.00 euros" and get the order withdrawal number.
At the time of the VICE demonstration, at least, the attackers tried to pay for the snack. When explaining the scam to the manager and offering the 17 euros, the McDonald's employee refused the money. "Relax and enjoy – everything is fine," said the fast food chain employee.
The hackers' motivation was not quite the free lunch. David's entire effort to notify a multinational company was to help his friends Lenny and Mats Tesch, also a software developer, to get good jobs after graduation. "Findings like this will help with that," he explained.