This article originally appeared on VICE Germany.
Last November, software developers Lenny Bakkalian and David Albert discovered two loopholes in the German McDonald's system which allowed them to order an endless supply of free food. Recently, I met the two Hamburglars and their colleague Mats Tesch at an East Berlin McDonald's so they could show me how they did it.
McDonald's receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month. One day, David happened to be checking out how the website's coding was structured when he noticed that the information triggering the server to issue a new voucher was always the same. That meant he could build a programme replicating the code, as if someone was taking the survey again and again.
But who wants unlimited drinks with nothing to sink your teeth into? "I played around with the coupon generator and, after about five hours, I discovered another vulnerability," he explained – a vulnerability that allowed them to order free food.
At the McDonald's in East Berlin, David began the demonstration by setting up an internet hotspot with his smartphone. Lenny connected with a second phone and a laptop, then turned the laptop into a proxy server connected to both phones. He opened the McDonald's app and entered a voucher code generated by David's programme. The next step was ordering the food for a total of €17. The bill on the app was transmitted to the laptop, which set all prices to zero through a programme created by Lenny, and sent the information back to the app. After tapping "Complete and pay 0.00 euros", we simply received our pick-up number. It had worked.
My building excitement about the free processed meat was soon deflated when the guys told me they weren't actually there for the free food – that this was just a demonstration. "Okay, we'll pick it up and pay for it," said David, not wanting to fleece the billion dollar multi-national chain out of €17. At the counter, he tried to explain what he'd just done. "Relax and enjoy it – it's all good," said the manager, refusing his money.
The guys told me it didn't always go down this way – when they tried to hack the app for 15 burgers in Hamburg, the boys told the manager what they were doing and the order was cancelled before it was prepared. This time, they decided to give the food to a homeless person nearby.
Curious, I asked the boys why they'd come up with the hack if not to eat on Ronald McDonald's dime. At first, David said they were worried "criminals would make money by generating the coupons and selling them online". Later, he added, "Lenny and Mats are my friends – I want them to be able to apply for good jobs after school, and discoveries like this will help with that." That's what motivated the boys to contact McDonald's about their hack in November of 2019. A customer service employee said they would look into it, but two weeks later the hack was still working.
Lots of big companies run so-called "bug bounty" programmes that reward people who discover these types of coding errors. When VICE contacted McDonald's, a spokesperson wouldn't confirm the existence of such a programme, but said the McDonald's app met "all conventional security requirements". She added that only someone with in-depth programming knowledge could exploit the loopholes – and that they would be liable for prosecution. "However, we are currently working diligently to close this gap, of course," she said.
Lenny later confirmed they did receive some form of reward from McDonald's, and the loophole was finally fixed in mid-December of 2019. So next time you're casually browsing through code on McDonald's website, you'll have to figure out another way to get yourself a free meal.