Bugs in a major McDonald’s India delivery system exposed sensitive customer data

Date:

Share post:


A major McDonald’s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned.

The flaws, discovered by security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald’s India (West & South), which is owned by Hardcastle Restaurants.

Zveare told TechCrunch that bugs in the company’s delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company’s API, which apps and websites use for placing orders and tracking. This is because the API wasn’t properly checking to make sure the person making requests was allowed to make it. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.

The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald’s India (West & South) customers, and exposed access to vehicle numbers, profile pictures, and track the real-time location of the restaurant chain’s drivers delivering orders.

Zveare found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher.

McDonald’s India told TechCrunch that a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.

McDonald’s India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.

“The McDelivery (West & South) mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told TechCrunch.

This is not the first time McDonald’s India has exploited its customers’ sensitive data. In 2017, the delivery app of McDonald’s India (West & South) leaked the personal information of about 2.2 million customers.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Waymo fills the Cruise void overseas and a salute to an icon

Welcome back to TechCrunch Mobility — your central hub for news and insights on the future of...

World(coin) must let Europeans comprehensively delete their data, under privacy order

It took a lot more than the initially slated few weeks to arrive, but a pivotal privacy...

Tesla is courting Texas cities to test its promised robotaxi service

Tesla is evaluating multiple Texas cities where it wants to test a long-promised robotaxi service, including Austin,...

K2 Space will fly its extra-large satellite for the first time in 2026

K2 Space is betting that the future of the space hardware will be big — really big.  The...

US government urges high-ranking officials to lock down mobile devices following telecom breaches

The U.S. government is urging senior politicians and high-ranking officials to lock down their devices amid the...

North Korea-linked hackers accounted for 61% of all crypto stolen in 2024

With the rising adoption and value of crypto assets, the potential for theft is also on the...

Apple and Meta go to war over interoperability vs. privacy

Apple and Meta are warring in Europe over the balance between interoperability and privacy, Reuters reports. The fight...

BlueQubit raises $10M to take Quantum software into real-world applications

Integrating quantum computing into real-world computer applications is an ongoing problem, as the platforms are architected fundamentally...