A major McDonald’s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned.
The flaws, discovered by security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald’s India (West & South), which is owned by Hardcastle Restaurants.
Zveare told TechCrunch that bugs in the company’s delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company’s API, which apps and websites use for placing orders and tracking. This is because the API wasn’t properly checking to make sure the person making requests was allowed to make it. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.
The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald’s India (West & South) customers, and exposed access to vehicle numbers, profile pictures, and track the real-time location of the restaurant chain’s drivers delivering orders.
Zveare found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher.
McDonald’s India told TechCrunch that a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.
“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.
McDonald’s India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.
“The McDelivery (West & South) mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told TechCrunch.
This is not the first time McDonald’s India has exploited its customers’ sensitive data. In 2017, the delivery app of McDonald’s India (West & South) leaked the personal information of about 2.2 million customers.
