Further down the thread he mentions that no order gets executed, he's just querying. I guess still making trouble for anyone using that data, but at least nothing's going to waste.
That just leaves me with more questions. What does he mean by "executing" an order? He used the word "placing" before. Is he placing the order and then immediately cancelling? Or is he just putting items in his cart? Why such the high dollar total on the order? Is it a single order at every store every minute? Does it really need to be that frequent?
Regardless, it annoys me when I see developers abuse semi-public APIs as it just ends up being a motivating factor to close things off more. There is most likely some developers working for McDonalds who have been scrambling as a response to what this guy is doing. It isn't nice to create unnecessary work for others just so you can have a little fun.
Like any other e-commerce store, you can add stuff to your cart, and then choose not to check out.
And it is typically during the cart-adding process that you find out if a product is actually available for purchase or not, as opposed to at checkout time.
I would assume that's what is happening here, which means it's not actually affecting any in-store operations, just (as the author says) probably messing with their analytics a bit.
Hopefully he's doing it in a way that lets the analysts easily mass-filter his activity (perhaps by IP, or by adding some filter for his very atypical "one McFlurry from each store" order configuration).
Seems reasonably harmless in my mind, if he's not making use of any non-public endpoints or keys.
He has said multiple times that orders are "placed". He also said they aren't "executed". Based on what other people are saying here about McDonald's workflow, it sounds like a placed order wouldn't actually be executed unless he shows up to the store. That is probably what is happening here. It may be "reasonably harmless" but it is still not a nice thing to do just for fun and 15 minutes of internet fame.
EDIT: I'm not sure why, but moderators have detached this line of comments from where I was originally replying. I really don't think questioning the ethics of something like this is out of line on HN, but I can understand the phrase "kind of an asshole move" might have upset some people. Since this is the only comment I can still edit, I will just throw in the clarification of context that detaching this comment might have removed. The "asshole move" I was referring to is the practice of brute forcing this information through an internal McDonald's API by sending $18k worth of orders every minute.
For what it's worth the author joined the discussion and confirmed he is not actually placing orders, but rather using the API to check availability of a product.
He doesn't say how that works, but again if I had to guess I would bet it's checking the response to "add to cart" or something similar.
If you've never used the McDonald's app, then you can place an order, but the store doesn't receive it and do anything until you arrive at the store and it detects that you're there. During this period, you can cancel the order. My guess is that's what he's doing.
Based off the information at the site and the tweets, the most sensible explanation is that it's a single order that gets attempted, but the cart gets cleared. Rather, it's the sheer number of locations that McDonalds has licensed it's name to that cause the dollar value.
Given the cost of $1 for a cone, he's checking 18,752 locations per minute, or about 1.28x the number of branded restaurants in the US + Canada.
