A major McDonald’s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned.
The flaws, discovered by Traceable AI security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald’s India (West & South), which is owned by Hardcastle Restaurants.
Zveare exclusively told TechCrunch that bugs in the company’s delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company’s API, which apps and websites use for placing orders and tracking. This is because the API wasn’t properly checking to make sure the person making requests was allowed to make requests. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.
The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald’s India (West & South) customers, and exposed access to vehicle numbers, profile pictures, and tracked the real-time location of the restaurant chain’s drivers delivering orders.
In a since-published blog post, Zveare found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher.
McDonald’s India told TechCrunch that a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.
“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.
McDonald’s India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.
“The McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told TechCrunch.
This is not the first time McDonald’s India has exploited its customers’ sensitive data. In 2017, the delivery app of McDonald’s India (West & South) leaked the personal information of about 2.2 million customers.
Jagmeet covers startups, tech policy-related updates, and all other major tech-centric developments from India for TechCrunch. He previously worked as a principal correspondent at NDTV. You can reach out to him at mail[at]journalistjagmeet[dot]com.