bluetidepro 5 days ago

All that work for ONLY a $240 Amazon gift card is absolutely wild to me. It still surprises me that people choose not exploit these things when these mega corporations basically award them pennies for finding major vulnerabilities like this.

  • lern_too_spel 5 days ago

    I was going to complain about that, but then I looked at their bug bounty program: https://mcdelivery.co.in/bug-bounty

    "The reward for a valid bug will be Rs. 2,500/- (Rupees Two Thousand Five Hundred only) in the form of coupons (applicable only in McDonald’s India West & South). Such coupons shall need to be used within the validity period mentioned therein and shall not be, encashable or transferable."

    That's less than $30 per bug in non-transferable McDonald's coupons that only work in India, which is thousands of miles away from the bug reporter. Compared to what he thought he would get, a $240 Amazon gift card is a good deal.

    • EatonZ 5 days ago

      It would be nice to see rewards that scale with severity. Ultimately they did accomodate me by sending a gift card I can use instead of coupons I would likely have given away, so I appreciate that. Most companies don't offer me anything!

  • joeyagreco 5 days ago

    +1 to that. McDonald's is sending out a clear message that exploits and vulnerabilities in the future will NOT be rewarded when reported to them.

    • vouaobrasil 5 days ago

      Not so sure. I think the prestige these days is very valuable considering we are a society that values this sort of thing.

      • foxyv 4 days ago

        So what you are saying is, they are working for exposure?

        • EatonZ 4 days ago

          There are certainly more things I could have done to get more $/hour. I ultimately find these things enjoyable and help keep my skills sharp.

  • move-on-by 5 days ago

    I don’t know how popular this service is in India, but holy cow these abilities could easily be exploited for nefarious purposes:

    * The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.

    * The ability to retrieve the details of any order.

    Wait for a target to order something, redirect the delivery to yourself. Then take the order and deliver it yourself to the target. Access granted, and you’ve got a nice fall guy- the original delivery person. IDK, I’m not a criminal, but seems like it could go for more than $240 on the black market.

  • barbazoo 5 days ago

    Then you’d have to actually eat at McDonalds though

    • echoangle 4 days ago

      You could resell it and offer to order for people if they pay you half the regular price.

  • leonewton253 5 days ago

    Id take free Mcdonalds for a year via exploit over this. Heck they might have never catched it!

    • jackvalentine 5 days ago

      Eventually some accounting report will surface the discrepancy and the cops will be waiting for you.

      No McDonalds is worth a felony.

      • rkagerer 4 days ago

        I wonder how many hashbrowns a "robinhood" style hacker could have sent to strangers, or orders-in-transits discounted to a dollar, before they caught on.

        • throwaway14356 4 days ago

          in my experience corporate appathy in large companies is a near infinite resource but im probably still to optimistic.

          it reminds me of a mysterious building no one knew the origin or purpose of. someone filled a form for poor cleaning then the message bounced around between a dozen cleaning companies who didn't have a contact for it. after decades a cleaning company filled a form because it didn't have a number and wasn't on the drawings.

beefnugs 2 days ago

Next up : Drive thru ad-blocker. You enter your order into an app and at the drive thru it automatically plays a message that you are not using their fucking tracking points app, then reads your order, and forces the server to read it back to you and checks exactness, including checking the screen for another verification of correctness

poor workers yes... but fuck them just constantly adding more things to say and getting you to donate

EliRivers 5 days ago

"September 29, 2024: I check the reported issues today and confirm they are all fixed."

This is the most amazing thing about this story. Not only did the company not threaten him, they actually fixed the issues.

foxyv 4 days ago

Eating McDonalds is just too high a price in the first place. Adding a penny? Even worse.