Part 5/7:
After gaining access to the system, the researcher was able to update orders that were still in progress, effectively hijacking deliveries. Using two different accounts, they could redirect an ongoing order to another address without the original user’s knowledge, highlighting a temporal vulnerability that relied on timing to execute the attack.
The Aftermath: Reporting and Resolution
Upon discovering these critical issues, the researcher compiled a detailed 24-page report and submitted it through McDonald’s bug bounty program. McDonald's responded positively and resolved the issues within the set 90-day timeframe while compensating the researcher with an Amazon gift card.