At least two users of the McDonalds mobile app aren’t lovin’ it after thieves hijacked their accounts and ordered hundreds of dollars of food for themselves.
Lauren Taylor of Halifax, Nova Scotia was shocked to find her bank account almost empty after someone used the McDonald’s mobile app to buy $500 of fast food over 1200 kilometres away in Montreal, Quebec.
The crook managed to compromise her account to run up the bills in a five-day period from 25-29 January. Every time the hungry hijacker scored a Big Mac and fries, a receipt showed up in her inbox. Unfortunately, she doesn’t check her email that regularly. By the time she did, she had just $1.99 left. She explained that she had to find rent, and presumably someone in Montreal had to find a larger pair of pants with an elasticated waist.
After ordering food through the McDonalds app, customers can check in when they reach the restaurant. The app then charges the debit card that they registered onto the system, and a member of staff will deliver it to them curbside. To get the food, the customer has to provide a four-digit code given to them by the app.
McDonalds Canada denied that there was a security problem with the app in an email to Canada’s CBC. A spokesperson said:
We take appropriate measures to keep personal information secure, including on our app. Just like any other online activity, we recommend that our guests use our app diligently by not sharing their passwords with others, creating unique passwords and changing passwords frequently.
Taylor claims that she did, though, arguing that she changes her passwords regularly, never shares them, and keeps them strong. The McDonalds app requires passwords to be eight to 12 characters long, with upper and lowercase characters and at least one number.
Taylor’s isn’t the only case. CTV also found a woman in Ontario who saw McDonalds purchases in another city racked up on her account. Then there were another two incidents involving Halifax residents Tracy Creaser and Brett O’Donnell.
Tasty customer data
It wouldn’t be the first time that McDonalds has served up hot, tasty customer data. In March 2017, McDonalds India urged people to upgrade its McDelivery app after it was reported that it was leaking the personal details of 2.2m users, including their name, email address, phone number, home address and coordinates and social profile links. Attackers could harvest the information by serially incrementing user ID parameters passed to the API, the security researchers said.
In January 2017, cybersecurity engineer Tijme Gommers disclosed a vulnerability showing how to steal customer passwords from the McDonalds website, drawing flak from readers of YCombinator’s Hacker News for not giving the fast food merchant enough time to serve up a response. However, that vulnerability was closed after the fast food chain upgraded its version of Angular to 1.6.
58 comments on “McDonalds app users hatin’ it after being hacked by hungry hamburglars”
“The McDonalds app requires passwords to be eight to 12 characters…”
That’s a bad sign right there. No modern password system should require a maximum amount of characters. Likely points to the passwords being stored in plain text, either in the app or in a older system.
I agree that an upper limit such as 12 characters is a bad idea. (An upper bound is not, of itself, a bad idea: allowing, say, multi-million character passwords could lead to a denial of service attack, but in an era of password managers, there’s just no point in having a 12 or even a 16 charactet cutoff.)
I’m not sure I agree that the most likely explanation is that the passwords are stored in plaintext, however. In my experience, this sort of limit is imposed in the IMO misplaced hope that it will reduce the number of password resets needed due to forgotten passwords, and therefore reduce the number of users who get angry at the brand.
Fair enough. If it is in the hope that people will remember it better, I agree it’s unlikely to work. Why 12 and not 13, say?
My guess is that someone, somewhere, sometime, decided that “12 is enough and 13 is too much” and it just stuck. Same thing with Android – “password must be fewer than 17 characters”, as though there is some mental block that kicks in after 16. (If you’ve chosen a passphrase with a sequence that flows in a way you can remember well, chopping one character off might surely make it harder to remember?)
Like that silly rule about changing your passwords every N days, whether you need to or not, where N is a fixed positive integer. Why a fixed number of days? And why 90? (Or 60, or some insist that it’s 45, or 30, or some other number with a “ring of science” about it.)
Or that weird thing in Britian these days about trivialising dietary advice down to eating vegatables at the rate of “5 a day” (or is it fruit?), as though everything we ever learned at school about units and dimensional analyis were a total waste of time. Is one pea suddenly equivalent to 125g of carrots, or a teaspoon of baked beans equal to a cubic metre of spinach?
I just got hacked for $55.62. If the app had implemented 2FA on retail purchases it would not have happened. Passwords are only part of the solution. I deally you want a pass phrase that can be spoken and the audio used as the password. “I’m hatin’ it” comes to mind as a choice!
I see that they still havent bothered to correct this issue. Clearly they dont care
“McDonalds Canada denied that there was a security problem with the app…”
So the crook used their own device to authenticate the order on collection? Thus the device ID is not part of the security in the app, which is fairly critical if payment mechanisms are tied to the user account
The fact that McD’s requires you to register a credit card with them is the reason I’ve never used their app for mobile ordering. If I could place the order and pay (with my actual credit card) at pickup time, I would use it, but they don’t allow this kind of service.
Many years ago I discovered that the crypto function of Cold Fusion with certain words led to an extremely long result that exceeded the length of a cookie. It took some time to work out when random user name / password combinations were failing. But it could be that the limit on password length may be some relic of the hashing used and so there is a limit on it. Or it could just be someone likes the number 12. Setting a password limit between 8 and 12 gives hackers some useful information, although hackers could probably deduce the limits fairly quickly.
Hash functions tend to produce a fixed length hash regardless of the length of the input, hence having no maximum limitation on the password length. Encryption would behave as you suggest, but that has its own set of vulnerabilities (such as having to store the key somewhere).
This happened to me last night in the UK. £300. Over 12 orders. Saw it happening and had to cancel credit card. Emailed Mcdonalds last night
Same happened to me last weekend in the UK, luckily I check my emails regularly and caught it when they had only managed to spend £40. Called Macdonalds 3 times and emailed them 5 times and no one can tell me when I’m going to get the money back, keep telling me that the financial team are looking into it but i am not allowed to speak to them or email them directly.The woman actually said on the phone when i first reported it ‘I don’t know why this keeps happening’..
Did they get back to you?
Shame on MickyD and placing the blame on the consumer… when it’s OBVIOUS they blew it and a hacker found a weakness…
This happened to me 2 weeks ago! I live in Washington State and someone purchased food in new York. I found out pretty quick via the email with the purchase. McDonald’s wouldn’t do anything to help me and told me to contact my bank.
> Attackers could harvest the information by serially incrementing user ID parameters passed to the API
We’ve all made rookie mistakes of one sort. But hasn’t this particular beast seen enough news that even rookies these days should be aware of what in hindsight is an off-the-hinges barn door of an opening?
The McDonalds app password is eight to 12 characters with upper and lower case and a number. Some Internet sites passwords are not case sensitive and are just letters and numbers.
No modern password system should be perhaps limited to a maximum length of characters. However at 8 to 12 or a bit more the best password should contain as many possible combinations for example: upper and lower case letters, numbers, all the special characters (!@#$%…), a space at any place, and therefore you have 5 groups to mix together to hopefully to make a strong secure password that I use. My bank password is 16 to 18 using almost all 5 groups however some other places I am allowed all 5 groups. For example Yahoo and Outlook email and Facebook and many others where its available.
My McDonalds password is 20 characters long.
Are you sure? Maybe it’s just ignoring the “extra” characters..?
I’m sure. Login failed when using first 12 characters of my password. BTW when using the app does your order get placed automatically when you are near the store? I have to press already here.
Just pay for your damn food with cash 😉
Pardon the wry observation, but “fast” food evidently isn’t fast enough? McDonald’s is the bottom of the food-quality barrel.
I expect some might be so passionate enough about a Big Mac as to disregard this red flag and keep the app installed.
If they’re that much in a hurry to get their Mickey D’s they might be wise to seek apps for local funeral homes who also offer express, last-minute service.
Precisely a year later † this will sound more pious than I intend…
I’m surprised to see new comments being added to this story. People who don’t read security blogs at least didn’t know about this app’s persistent “leak,” but I’d expect those who read Naked Security (and other places where this has no doubt been reported) to have deleted it quite some time ago. ††
† fine… one year, four hours, six minutes (HVD)
†† I’m at times certainly no poster boy for best practice, ††† but come on folks! The app can’t save enough time or money in purchasing crappy food to be worth getting ripped off even a couple bucks–let alone the amounts I see reported here.
††† *cough* re-used a password here and there, *cough* putting off personal backups…
I use a password manager, where I generate random strings of number/letter/symbol gibberish for every single service. My friend, who also uses a password manager to generate strings like these, was hacked recently. No amount of unique passwords and precautions will save you from an app that stores in plain text or has a character limit. The current limit is a joke when my passwords are regularly 30 characters long. I wouldn’t touch this app with a ten-foot pole.
Yes! Just had two orders of food on 14 Feb discovered today on 16 Feb. Account hacked and hijacked in Oregon while I was in Raleigh. Account password changed and payment method removed. This is a nightmare.
Are the people that have been hacked using the same password for other accounts apart from McDonalds?
This just happened to me. I live in GA and someone ordered (3) separate times in the Bronx on my account.
This happened to me as well. I live in SC and at the time I was traveling back from Ohio. Someone order 5 times in the Bronx on mine.
not cool, I just told than that Im taking them to court for breach of trust
Happened to me Monday night. Two purchases in Florida (I live in Michigan). Luckily it was only $40. McDonald’s offered me a free coffee for my trouble, but didn’t even follow through on that! Now waiting for the credit union to reimburse me.
Happened to me over the last week. $200 in food. Thankfully it’s discover so no liability. Mcdonald’s response was that they could care less.
mine was hacked too but only for $27
Mine was hacked as well in Canada. Luckily I was vacationing in the US at the time and the purchase was made close to home. I tweeted McDonald’s to let them know, I suggest everyone do that as well.
Account hacked! I’m happy I check my email often. Only $21.70. Password changed, card removed. I called the store. They offered to refund me my money next time I’m in the area. Sadly, I’m never in Greensboro, NC. I live in Indiana. Corporate took my report and said they’ll do an investigation, but said I needed to work with my bank to get the money back. Now waiting on the Credit Union. In the mean time, they’ve cancelled my card. OH HAPPY DAY!!
My Account was hacked on March 22nd 2019. I got 3 mobile order receipts from 2 McDonald’s restaurants in Quebec, Canada. I’m in Manitoba, Canada. $27.65CAD and $15.80 at McDonald’s Decarie and $9.55 at McDonald’s Autoroute 13. As soon as I got the email I locked my credit card, changed my password and removed my credit card from the app. The next day I contacted my bank and they reversed the charges and canceled my card. I called Mc Donald’s a few days later and they deactivated my McDonald’s account for the time being and are investigating. I still don’t know why they don’t have the ability to pay with Apple Pay or A gift card. There should also be 2 Factor Authentication.
I feel like my sons $300+ issue is not taken seriously by McDonald’s……
I sincerely appreciate getting feedback to my concerns, however when you state that the system is working as designed and secure I am not 100% happy with that response. I have receipts to prove that while my son was in ——-,Ontario, his MacDonalds account was being used on another device in and around Quebec City. His account obviously was hacked and someone was able to figure out his password.
I know we are not the first victims of this and will not be the last unless McDonald’s starts using authentication methods when a new device tries using the app. It should only be registered to one device and if a different device tries to connect, a message would need to go to original device to allow access. An app can easily identify when a new device tries to connect. This did not happen.
You are allowing CHILDREN to enter their banking credentials and then opening them up to hackers in this scenario…..email receipts were sent to him but this is a 16 year old kid! Emails are checked once in a blue moon and it was completely by chance that he was bored and checking emails when he realized what had happened.
Do I feel like McDonald’s is taking my issue seriously – I would say “no” as you continue to reply without addressing my concerns. This is not proper closure for me.
Sent from my iPhone
On Apr 3, 2019, at 5:17 PM, Mcdcan-Guestcontactcentre wrote:
Thanks for your response with the additional information requested. I am sorry to hear that your son’s account was compromised, and wanted to let you know we have shared the information provided with our security team.
I also want to assure you that our system is working as designed and is secure. Though we cannot speculate as to how the account credentials were accessed, through regular security audits of the My McD’s App, we remain confident that a security breach within our system has not occurred.
I would also like to re-iterate the importance of taking a few precautionary measures:
• Changing the password to the My McD’s app account, and associated accounts.
• Contacting your payment provider. They will be able to address the charges you have reported.
• Removing payment information from the account.
As an added precaution, we have also requested the digital team deactivate the account.
Thanks again for contacting us.
Was just hacked yesterday. $260. No way they guessed my password. I doubt there is no failed attempts being blocked and they allow the user to guess as many times as they want….
Was just hacked today for small amount but I got hacked. Stupid app.
I also discover that anybody hacked before in March 23rd 2019.
My was hacked on Saturday. Order $28 in Quebec where I live in BC. I reported to McDonald immediately and their only reply was to disable my account. Nothing else.
I was hacked on Feb. 11. About $36 in Georgia, though I was in Connecticut. McDonald’s fraud department still hasn’t resolved the issue (other than help me recover access to my mobile app account — uh, thanks, but no thanks), so I’m heading to the bank to dispute the charge tomorrow.
My was hacked on Monday april 22. 6 times Order total of $67 in Montreal where I live in Laval. I reported to McDonald immediately and their only reply was to disable my account. Nothing else
Just got hacked a couple of hours ago and noticed the email just now. I changed my password, but have no idea how to remove my card from the app as it doesn’t give that option. Input?
Your card information is in the app? Remove it and cancel the card. Use Apple pay as it is encrypted but this means you cannot use the app to place orders.
Yup. Just happened to me too on April 26, 2019. I am in Montreal and someone managed to get 3 orders in within 10 minutes in Vancouver as I was on the phone with my credit card company. Luckily I receive text alerts for any credit card transactions.
The app does allow you to remove payment methods You’ll need to look carefully to find it.
Tap the More triple dots, tap Profile, tap Payment Methods. You can delete the there.
My account got hacked a week ago. McDonalds is useless and as stated by people above, their solution is to delete my account. Needless to say I won’t be using their mobile ordering again. Shame on them!
This happened today to my friend in Halifax! Delete that stupid app clearly theres a problem!!
My account was hacked and the person managed to get over a $100 worth of stuff before we could get our cards cancelled. So when Macdonald say the security is OK it is a bunch of crap.
Hardly even received an apology for the hassle that it caused us.
Happened to me today, only lost $15 before I saw it happening. Ended up changing password and removing my credit card from the system. Can’t order without a credit card.
This happened to me on July 14, 2019. SIX different mobile orders at multiple McDonalds in 3 different cities (and 2 different STATES). All on July 14 around the same time. 6 different charges to my debit card. I noticed it immediately when I received a McD’s invoice for the first order ($40+) via my email when I hadn’t been to McD’s. It was charged to my debit card but had someone elses name on it and was in a different state. I checked my mobile app to find that someone had changed some of my personal information to another name and zip code, and found 5 additional orders/charges that I did NOT receive an email receipt for, but all 6 charges were on my bank account. I removed the debit card from the app, changed the password, notified my bank, cancelled my debit card, ordered a new one and cancelled the app and removed it. I won’t use their mobile ordering app again. After I notified my bank, I called McDonalds and notified them.The total of the fraudulent orders/charges were about $135. McD’s response was they would inform their tech department, and give me some coupons for free stuff. I doubt they will take any steps to address the problem.
My account was recently hacked and someone from Florida ordered $500 in McDonald’s from my card. Definitely not lovin’ it. McDonald’s needs to find a way to better secure users information.
My account was hacked five days ago. I’m only noticing now because I just saw the charges on my credit card statement. $221.46 spent in two days on McDonalds orders and when I checked the My McD’s app, I could see what was ordered under the “recents” section. Most of the purchases were made in Quebec, across the country from me. Two of them were in the same province, but a different city. They even changed my name on my McDonalds account for some reason. I have changed my password. I always use a password generator and never share them with anyone. I also removed my credit card info from the app. Not sure if that’s going to help at all though.
My app was hacked 12/27/2019. Two charges were made back to back in Bronx, NY. I live in Arkansas. Called the help line and they took some information and told me to contact my bank. Changed my password, removed my payment information, and will be deleting the app.
My app was hacked on 12/21/19. Two charges were made back to back in Bronx, NY. I live in Minnesota. Called and thy told me there is know way that that happened. Took some info and told me to call my bank. I have deleted the app.
Hey Danny, timely article. McDonald’s cares more about the revenue. For people that have been “hacked”…check yourself at haveibeenpwned[.]com . Some credential comparison may show that your ancient Adobe account credentials shared the same email/pwd as your McDonald’s account. My alter ego is enjoying nugs and pineapple smoothies 2,000 miles away because of McDonald’s deliberate choices to allow fraud:
1. No mobile password managers…can’t generate a rando password, so new users will type in a common (read: shared) “temp” password that can be remembered. But, how many of us ever go back and change those for seemingly low-impact creds?
2. Sad passwords. Early version of app did not have even the lame pwd complexity rules that are in place now. Six chars, numbers and letters only worked…and still work as long as the creds stay grandfathered in. Who can break that record? Anyone with 4 chars still working?
3. No 2FA/MFA. Too many features confuses non-tech-savvy. Fewer options = faster revenue. McDonald’s has mastered this.
4. Can’t remove payment methods from app. Your only choice? Cancel the credit card.
5. No fraud contacts from within app
6. No fraud contacts from corporate web site
7. Facebook page is not claimed/verified…so not a viable method to reach out there
8. No verification for adding devices to account
9. No notification upon adding devices to account
10. No list of connected devices and activity
11. No means to disconnect devices
12. Allows repeat fraud: first 2 of 5 transactions allowed to go through based on McDonald’s acceptance of poor security.
13. Shows name and last 4 of CC in app. No ability to rename payment methods, like “the blue one with three dots”. Naming cards with personal references allows the actual owner easily identify it without revealing account information.
Even if I use a password manager to generate random garbled symbols and letters (which I do), how useful is that really, if the app stores everything in plain text anyways? You can see a “s48fd36hjw8945” password with the same ease as a “happy123” password. Even if a password hasn’t been pwned or otherwise on a hack list like “Rock You”, I wouldn’t use this app because there’s no confirmation it stores passwords with proper encryption. If you do have evidence of that, I would love a source.