<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1919858758278392&amp;ev=PageView&amp;noscript=1">

Business Logic Flaws: One (Bug)Mac please!

Jun 14, 2019 10:00:00 AM By Chetan Conikee

application vulnerability at the drive-in

Editor's note: This is the final article in a seven-part series by Chetan Conikee.

Watch this video!


A typical Big Mac has two juicy beef patties with melted American cheese, pickles, onions, lettuce and McDonald’s Special Sauce on a toasted sesame bun. Majority of us have spared no time in taking a big, juicy bite at least once in our lifetime.

Not too long ago Moshe Tamssot outwitted the self serve kiosk at McDonalds to place an order for an enormous (Bug)Mac — no pun intended.

Let’s reconstruct the events:

  1. Using the kiosk, Moshe literally add multiple 10x sides and toppings to his single order
  2. There was no threshold set to the max times a topping can be added in association to a single order
  3. Upon completion of order, the system indicated that it would take 8–10 minutes to prepare his order.
  4. The system is using a default upper bound SLA threshold. If this SLA is exceeded, the customer is possible incentivized with a free order. SLAs should take order details, real time queue information and other variables to compute threshold.
  5. The cashier was awestruck with this order amount and calls for the manager to deal with this circumstance.
  6. The billing POS terminal was perhaps not tuned to deal with this high price.
  7. Eventually, Moshe was rewarded with a (Bug)Mac at no cost.


Business Effects No Laughing Matter

Humor aside, such business flaws have negative ripple effects.

The viral potential of this Youtube posting could have led others to abuse this flaw before an update was pushed to all kiosks worldwide. Upholding their high standards of service, McDonalds accepted this order at no cost to Moshe. However, it most likely took over 15 minutes to prepare, thereby impacting those customers waiting behind him at the dine-in and drive-in.


This is the final post in a seven part series on finding business logic vulnerabilities in your code. More business logic case studies can be found here.