Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
TechCrunch exclusively revealed that a major McDonald’s delivery system in India has exposed the personal data of its customers and drivers due to a few simple security flaws.
The flaws discovered by security researcher Eaton Zveare were found in the delivery system’s APIs. McDonald’s India (West & South)Owned by Hardcastle Restaurants.
Zveare told TechCrunch that bugs in the company’s delivery system, McDelivery, could allow anyone to interact with the company’s API, which is used by apps and websites to post, steal, redirect or track orders in real-time, or for $0.01 can issue legal orders. ordering and tracking. This is because the API doesn’t properly check to make sure the requester is allowed to do so. Bugs also allowed access to invoices and the ability to send feedback for customer orders.
Security flaws exposed McDelivery customer full names, email addresses and phone numbers of McDonald’s India (West and South) customers and revealed access to vehicle license plates, profile pictures and tracked the real-time location of the restaurant chain’s delivery drivers.
Zveare found the vulnerabilities and reported them to the restaurant chain in July. According to the researcher, they were fixed in late September.
McDonald’s India told TechCrunch that a “thorough review of systems and records” showed that the flaws did not result in a breach of customer data.
“We conduct regular audits and assessments to continuously strengthen our security measures and implement all necessary upgrades to ensure all our systems are up-to-date and secure,” said Sulakshna Mukherjee, spokesperson, McDonald’s India (West & South). A statement emailed to TechCrunch.
McDonald’s India did not disclose the number of customers whose information was compromised. However, the flaw exposed access to hundreds of millions of orders, the researcher told TechCrunch.
“The McDelivery (West & South) mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploit,” the researcher told TechCrunch.
This is not the first time that McDonald’s India has used the sensitive data of its customers. McDonald’s India Delivery Program (West & South) in 2017 leaked personal data of approximately 2.2 million customers.
