Indian giant McDonald's' delivery system leaked the personal information of customers and drivers due to a few simple security flaws, TechCrunch has learned exclusively.
The flaw, discovered by security researcher Eaton Zubair, was found in the API of a delivery system associated with McDonald's India (West & South), owned by Hardcastle Restaurants.
Zveare told TechCrunch that a bug in the company's delivery system, McDelivery, could allow anyone to access, hijack, redirect, and process orders in real-time by allowing apps and websites to interact with the company's API, which is used to order products. He said he would be able to track or place a qualified order for $0.01. Order and Track. This was because the API did not properly check whether the user making the request had permission to make the request. The bug also granted access to invoices and provided the ability to submit feedback on customer orders.
The security flaw exposed the full names, email addresses, and phone numbers of McDonald's India (West and South) McDelivery customers, as well as vehicle numbers, profile photos, and the names of the restaurant chain's drivers delivering their orders. Access to real-time location tracking exposed.
Zuvea discovered the vulnerability and reported it to the restaurant chain in July. Researchers say these were corrected in late September.
McDonald's India told TechCrunch that a “thorough review of its systems and logs” showed the flaw did not result in a breach of customer data.
“We conduct regular audits and assessments to continually strengthen our security measures, implementing all necessary enhancements and ensuring all systems are up to date and secure.” McDonald's・Sulakshna Mukherjee, Spokesperson for India (West & South) said: Statement emailed to TechCrunch.
McDonald's India has not disclosed the number of customers whose information may have been compromised by the bug. However, researchers told TechCrunch that the flaw exposed access to hundreds of millions of orders.
“The Mcdelivery (West & South) mobile app uses the exact same backend API as the website. As a result, both were vulnerable to the same exploits,” researchers told TechCrunch.
This is not the first time McDonald's in India has misused sensitive customer data. In 2017, the personal information of about 2.2 million customers was leaked from McDonald's India (West & South) delivery app.