A white-hat hacker has discovered a series of critical flaws in McDonald's staff and partner portals that allowed anyone to order free food online, get admin rights to the burger slinger's marketing materials, and could allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing.

The hacker, who goes by “Bobdahacker”, first noticed something was awry when she found the McDonald's online delivery app only ran client-side security checks when looking up an account’s credit points, with no server-side checking, allowing a Hamburglar to order food for free.

"You could just set up an account for that and it worked, only for delivery orders," she told The Register .

Bafflingly, McDonald's did not have a valid security.txt file – a document that defines t

See Full Page