McDonald's New Zealand and Australia restaurants reportedly have unused and insecure NFC tags glued under tables.
Near Field Communications tags allow devices to read instructions with a tap. Phones must be very close in order to read the tags and the instructions it contains.
The McDonald's tags seem to have been installed as part of the Create Your Taste promo, which allows customers to compile custom burgers. They would pair with pucks so staff could find where a customer is sitting.
But the tags remain in an unlocked and writeable state which puts customer NFC-enabled and activated phones at risk.
An attacker could, for example, create a copycat McDonald's webpage and host on it a malicious McDonald's look-a-like Android app.
Users would expect the phishing site to be legitimate, having been directed to the site while in a McDonald's restaurant, and would be more likely to download and install the application.
Attackers could write the phishing site address to the tags so that it would be read by phones placed on the table.
A prompt would appear on phones asking users if they wish to visit the site.
Kiwi tech boffins at PlayTechNZ (@playtechnz) found and reported the exposed tags.
Reddit users have since reported seeing the tags, with some claiming friends had written their Instagram accounts to the tags.
The tags' signals are powerful enough to pass through tables. Normal NFC stickers would need to be placed on top of tables to be read.
McDonald's restaurants in other countries have used NFC tags under tables for service delivery. A small pilot program in Singapore used NFC tags to allow kids to drive their phones around tabletops in a simulated car race.
McDonald's New Zealand and McDonald's Australia have been contacted for comment. ®