Bugs in a major McDonald’s India delivery system exposed sensitive customer data

Date:

Share post:


A major McDonald’s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned.

The flaws, discovered by security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald’s India (West & South), which is owned by Hardcastle Restaurants.

Zveare told TechCrunch that bugs in the company’s delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company’s API, which apps and websites use for placing orders and tracking. This is because the API wasn’t properly checking to make sure the person making requests was allowed to make it. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.

The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald’s India (West & South) customers, and exposed access to vehicle numbers, profile pictures, and track the real-time location of the restaurant chain’s drivers delivering orders.

Zveare found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher.

McDonald’s India told TechCrunch that a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.

McDonald’s India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.

“The McDelivery (West & South) mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told TechCrunch.

This is not the first time McDonald’s India has exploited its customers’ sensitive data. In 2017, the delivery app of McDonald’s India (West & South) leaked the personal information of about 2.2 million customers.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Infinite Uptime bags $35M to help factories optimize equipment usage

Infinite Uptime, an Indian startup that offers predictive maintenance solutions for factories, has raised $35 million in...

Asana CEO Dustin Moskovitz is retiring

Dustin Moskovitz is retiring from Asana, the software company he founded in 2008. Asana, a task management platform,...

Elon Musk says DOGE involvement is making it harder to run his businesses

In an interview with Fox’s Larry Kudlow on Monday, billionaire Elon Musk admitted that his involvement with...

Eric Schmidt joins Relativity Space as CEO

Former Google CEO Eric Schmidt is taking over as the CEO of Relativity Space, a 9-year-old rocket...

Bluesky is weighing a proposal that gives users consent over how their data is used for AI

Speaking at the SXSW conference in Austin on Monday, Bluesky CEO Jay Graber said the social network...

In another chess move with Microsoft, OpenAI is pouring $12B into CoreWeave

In a grandmaster-level chess move, OpenAI has signed a five-year, $11.9 billion agreement with the GPU-heavy cloud...

Elon Musk says X is down due to cyberattacks

Elon Musk’s X was inaccessible on Monday morning for thousands of users, including many in the U.S....

Rad Power Bikes CEO steps down

Rad Power Bikes CEO Phil Molyneux has stepped down as part of a wider strategic reshuffling at...