BurgerTime
[2015] A weekend long expedition to get free burgers
(Originally written in 2015)
McDonalds released a mobile app that offers you a free burger if you download their app and create an account. My roommate uses an ancient iPhone 4s, and the app allowed him to use this free burger coupon several times. After a while, it stopped working, so I decided to download it on my own phone. Just like my roommate, I saw the free burger coupon. After I used the coupon to get a burger, the offer disappeared from my app.
This got me thinking. What if I just kept redownloading the app and signing up for new accounts? Turns out, this method works, and we were feasting on our free Big Macs again.
This process was pretty time consuming, because you had to click through many confirmation pages. This motivated me to further investigate the app, in the hopes of acquiring faster fast food.
This is where things got interesting.
The McDonalds app uses an internal API, hosted at api.mcd.com. This API is secured with HTTPS, and it does some pretty weird stuff:
- Sends passwords in plain text (no hashing mechanism for password storage)
- The iOS and Android clients use different API responses and requests
- The iOS and Android clients both identify as an iPhone
- The nonce for the Android app is “happybaby”
- Redeeming an offer will return a base64 encoded QR code — but it’s never used by the app
This was my first project where I did anything like this, so I ran into a lot of walls, like figuring out what an Aztec QR code is, how the QR codes were generated, how to obtain a valid app token, and creating accounts/logging in via POST requests.
After spending some time with the app and viewing the network requests it made, I was able to figure out how to programatically register an account, login, and then view offers. I documented the internal McDonalds API, and threw it up on a web page where anyone could quickly get a coupon code for a free burger.
This was pretty cool, because it meant that anyone could visit my web app, click the offer they wanted, and a valid coupon code would be generated on the fly.
McDonalds add some “security”
McDonalds started requiring email verification for accounts exactly one business day after I generated accounts (maybe related?). I began devising a plan to account for this new hurdle, until I realized the ‘isActive’ flag sent by the client during registration is set to false using the normal app. If I flipped this value to true in my web app, the newly registered account was considered to be email verified!
Fixing the App
Getting free food is awesome, and it’s every college student’s dream. Unfortunately, using this proof of concept application is unethical (but delicious!). The web app has now been taken down, and the source code can be found on GitHub.
McDonald's could easily fix their application if they just didn’t trust user input. By doing some basic validation and rate limiting, McDonald's could plug this issue. Also, McDonald's should follow basic security practices, like hashing passwords, and not sending plain text passwords for every request.
Hope you enjoyed reading how I spent my weekend getting free burgers!
