All that work for ONLY a $240 Amazon gift card is absolutely wild to me. It still surprises me that people choose not exploit these things when these mega corporations basically award them pennies for finding major vulnerabilities like this.
"The reward for a valid bug will be Rs. 2,500/- (Rupees Two Thousand Five Hundred only) in the form of coupons (applicable only in McDonald’s India West & South). Such coupons shall need to be used within the validity period mentioned therein and shall not be, encashable or transferable."
That's less than $30 per bug in non-transferable McDonald's coupons that only work in India, which is thousands of miles away from the bug reporter. Compared to what he thought he would get, a $240 Amazon gift card is a good deal.
It would be nice to see rewards that scale with severity. Ultimately they did accomodate me by sending a gift card I can use instead of coupons I would likely have given away, so I appreciate that. Most companies don't offer me anything!
I don’t know how popular this service is in India, but holy cow these abilities could easily be exploited for nefarious purposes:
* The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.
* The ability to retrieve the details of any order.
Wait for a target to order something, redirect the delivery to yourself. Then take the order and deliver it yourself to the target. Access granted, and you’ve got a nice fall guy- the original delivery person. IDK, I’m not a criminal, but seems like it could go for more than $240 on the black market.
I wonder how many hashbrowns a "robinhood" style hacker could have sent to strangers, or orders-in-transits discounted to a dollar, before they caught on.
in my experience corporate appathy in large companies is a near infinite resource but im probably still to optimistic.
it reminds me of a mysterious building no one knew the origin or purpose of. someone filled a form for poor cleaning then the message bounced around between a dozen cleaning companies who didn't have a contact for it. after decades a cleaning company filled a form because it didn't have a number and wasn't on the drawings.
All that work for ONLY a $240 Amazon gift card is absolutely wild to me. It still surprises me that people choose not exploit these things when these mega corporations basically award them pennies for finding major vulnerabilities like this.
I was going to complain about that, but then I looked at their bug bounty program: https://mcdelivery.co.in/bug-bounty
"The reward for a valid bug will be Rs. 2,500/- (Rupees Two Thousand Five Hundred only) in the form of coupons (applicable only in McDonald’s India West & South). Such coupons shall need to be used within the validity period mentioned therein and shall not be, encashable or transferable."
That's less than $30 per bug in non-transferable McDonald's coupons that only work in India, which is thousands of miles away from the bug reporter. Compared to what he thought he would get, a $240 Amazon gift card is a good deal.
It would be nice to see rewards that scale with severity. Ultimately they did accomodate me by sending a gift card I can use instead of coupons I would likely have given away, so I appreciate that. Most companies don't offer me anything!
+1 to that. McDonald's is sending out a clear message that exploits and vulnerabilities in the future will NOT be rewarded when reported to them.
Not so sure. I think the prestige these days is very valuable considering we are a society that values this sort of thing.
So what you are saying is, they are working for exposure?
There are certainly more things I could have done to get more $/hour. I ultimately find these things enjoyable and help keep my skills sharp.
I don’t know how popular this service is in India, but holy cow these abilities could easily be exploited for nefarious purposes:
* The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.
* The ability to retrieve the details of any order.
Wait for a target to order something, redirect the delivery to yourself. Then take the order and deliver it yourself to the target. Access granted, and you’ve got a nice fall guy- the original delivery person. IDK, I’m not a criminal, but seems like it could go for more than $240 on the black market.
Then you’d have to actually eat at McDonalds though
You could resell it and offer to order for people if they pay you half the regular price.
Id take free Mcdonalds for a year via exploit over this. Heck they might have never catched it!
Eventually some accounting report will surface the discrepancy and the cops will be waiting for you.
No McDonalds is worth a felony.
I wonder how many hashbrowns a "robinhood" style hacker could have sent to strangers, or orders-in-transits discounted to a dollar, before they caught on.
in my experience corporate appathy in large companies is a near infinite resource but im probably still to optimistic.
it reminds me of a mysterious building no one knew the origin or purpose of. someone filled a form for poor cleaning then the message bounced around between a dozen cleaning companies who didn't have a contact for it. after decades a cleaning company filled a form because it didn't have a number and wasn't on the drawings.
"September 29, 2024: I check the reported issues today and confirm they are all fixed."
This is the most amazing thing about this story. Not only did the company not threaten him, they actually fixed the issues.
Eating McDonalds is just too high a price in the first place. Adding a penny? Even worse.
[dead]