A bug within the McDonald’s Monopoly VIP sport in the UK triggered the login names and passwords for the sport’s database to be despatched to all winners.
After skipping a 12 months on account of COVID-19, McDonald’s UK launched their in style Monopoly VIP sport on August twenty fifth, the place prospects can enter codes discovered on buy meals objects for an opportunity to win a prize. These prizes embody £100,000 in money, an Ibiza villa or UK getaway vacation, Lay-Z Spa sizzling tubs, and extra.
Sadly, the sport hit a snag over the weekend after a bug triggered the person title and passwords for each the manufacturing and staging database servers to be in prize redemption emails despatched to prize winners.
An unredacted screenshot of the e-mail despatched to prize winners was shared with BleepingComputer by Troy Hunt that exhibits an exception error, together with delicate info for the net utility.
This info included hostnames for Azure SQL databases and the databases’ login names and passwords, as displayed within the redacted e mail beneath despatched to a Monopoly VIP winner.
The prize winner who shared the e-mail with Troy Hunt mentioned that the manufacturing server was firewalled off however that they might entry the staging server utilizing the included credentials.
“I attempted to hook up with manufacturing to gauge the severity of the problem and whether or not or not getting in contact was an pressing matter however fortunately for them they’d a set of firewall guidelines setup,” the individual informed Troy Hunt in an e mail shared with BleepingComputer.
“I did nevertheless achieve entry to staging, which I disconnected from instantly for apparent causes.”
As these databases could have contained profitable prize codes, it might have allowed an unscrupulous individual to obtain unused sport codes to say the prizes.
Fortunately for McDonald’s, the individual responsibly disclosed the problem with McDonald’s, and whereas they didn’t obtain a response, they later discovered that the staging server’s password was quickly modified.
Sadly, this was not an remoted challenge, as different customers reported seeing the credentials and went so far as sharing their expertise in a TikTok video.
BleepingComputer has contacted McDonald’s UK with questions in regards to the leaked credentials however has not heard again.