I Hacked McDonald's (Security Contact Was Harder to Find Than Secret Recipe)
(bobdahacker.com)37 points by Improvement 4 days ago
37 points by Improvement 4 days ago
It's pretty standard for the infosec world, it attracts somewhat unusual personalities. This is why it's so important for larger companies to have clearly signposted responsible disclosure channels: if the channels are there, then people like Bob often will use them, even if there's no reward on offer.
> causing the friend to get fired, rightfully so
Given that the intent of the friend was to help improve McDonalds' security, I'd have to disagree that the firing was rightful. However, it is something that probably 90%+ of multinationals would do in this situation.
> Given that the intent of the friend was to help improve McDonalds' security, I'd have to disagree that the firing was rightful.
I’d be inclined to fire someone who shared their credentials with an outsider running an unauthorized security test or discussed unpatched vulnerabilities in detail with outsiders.
An employee poking around and finding stuff on their own and reporting it might be a different story, though the details would still matter a lot.
OP did not use their employee friend's credentials, they created their own account through the registration page.
Unless this becomes news on mainstream media (hint: it won't), nothing happened and nothing will change.
The only thing that will actually make them change how they handle security is an event where their internal system gets hacked in a really bad way, like PSN, potentially affecting restaurant operations and involving customer info. Then executives will start paying attention. Otherwise, this is what it is.
I hate this idea that you always have to be professional when dealing with a corporation and have to follow rules exactly, often rules made up by the corporation. (Laws are just rules too, they are enforced by violence.)
The corporation showed gross incompetence and was punished for it. Sending passwords in plaintext indicates deeper security issues and systemic failures. HN can cry about companies leaking people's personal details but to actually make it affect their bottom line and force them to fix it, it has to affect their bottom line - they must get punished.
Sure, this was not a legal punishment but it was not wrong and it was very minor anyway.
Legality is not morality. Laws are written to protect peace (absence of visible conflict), not to protect justice.
For future reference, look at what the same hacker posted a few hours ago: https://news.ycombinator.com/item?id=44997145
The security researcher could definitely be arrested for this.
He used employee credentials, and of course his friend got fired, it’s literally the first thing places tell you: don’t share your password.
They did not use or have access to employee credentials. They registered their own account.
Given the sloppiness of McDonald's security, my conclusion is that they don't really care about being secure. Being hacked is an annoying business expense to them, but that's it.
Given that his friend was fired, if I ever had an inkling of doing free pentesting for McDonald's, I sure as hell don't now. They don't deserve it.
> Given that his friend was fired, if I ever had an inkling of doing free pentesting for McDonald's, I sure as hell don't now.
What is a company supposed to do when they detect an employee repeatedly try to access different systems they shouldn't have access to (nor have reason to even try)?
Nothing? The employee is using their own legitimate credentials on an internal system.
I wonder who programmed it? I had a project in India with a giant multi-national consulting company and McDs was one of their clients. I wasn't in that project but it looked like it was a couple of dozen of developers on it.
I am not sure why they found access to the company directory so enticing. There was plenty of red meat in the post, but being able to lookup other people in the company is just kind of essential. My employers have always had some kind of search functionality which gives you name, title, email, department, etc.
The author seems a bit... immature in their handling of things? Using a friend's login to pentest stuff (causing the friend to get fired, rightfully so), defacing internal applications, creating bogus orders...
They're cocky and they don't fully seem to grasp yet how their behavior works against them.