{"id":819285,"date":"2025-01-12T10:12:05","date_gmt":"2025-01-12T16:12:05","guid":{"rendered":"https:\/\/newsycanuse.com\/index.php\/2025\/01\/12\/bugs-in-a-major-mcdonalds-india-delivery-system-exposed-sensitive-customer-data\/"},"modified":"2025-01-12T10:12:05","modified_gmt":"2025-01-12T16:12:05","slug":"bugs-in-a-major-mcdonalds-india-delivery-system-exposed-sensitive-customer-data","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2025\/01\/12\/bugs-in-a-major-mcdonalds-india-delivery-system-exposed-sensitive-customer-data\/","title":{"rendered":"Bugs in a major McDonald\u2019s India delivery system exposed sensitive customer data"},"content":{"rendered":"
\n

A major McDonald\u2019s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned.<\/p>\n

The flaws, discovered by Traceable AI security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald\u2019s India (West & South)<\/a>, which is owned by Hardcastle Restaurants.<\/p>\n

Zveare exclusively told TechCrunch that bugs in the company\u2019s delivery system, McDelivery, meant anyone could access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company\u2019s API, which apps and websites use for placing orders and tracking. This is because the API wasn\u2019t properly checking to make sure the person making requests was allowed to make requests. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.<\/p>\n

The security flaws exposed McDelivery customer full names, email addresses, and phone numbers of McDonald\u2019s India (West & South) customers, and exposed access to vehicle numbers, profile pictures, and tracked the real-time location of the restaurant chain\u2019s drivers delivering orders.<\/p>\n

In a since-published blog post<\/a>, Zveare found the vulnerabilities and reported them to the restaurant chain in July. They were fixed in late September, per the researcher.<\/p>\n

McDonald\u2019s India told TechCrunch that a \u201cthorough verification of systems and logs\u201d showed the flaws did not result in a breach of its customer data.<\/p>\n

\u201cWe conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,\u201d Sulakshna Mukherjee, a spokesperson at McDonald\u2019s India (West & South), said in a statement emailed to TechCrunch.<\/p>\n

McDonald\u2019s India did not disclose the number of customers whose information may have been exposed by the bugs. However, the researcher told TechCrunch that the flaws exposed access to hundreds of millions of orders.<\/p>\n

\u201cThe McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,\u201d the researcher told TechCrunch.<\/p>\n

This is not the first time McDonald\u2019s India has exploited its customers\u2019 sensitive data. In 2017, the delivery app of McDonald\u2019s India (West & South) leaked<\/a> the personal information of about 2.2 million customers.<\/p>\n<\/div>\n

\n
\n

\n\t\tJagmeet covers startups, tech policy-related updates, and all other major tech-centric developments from India for TechCrunch. He previously worked as a principal correspondent at NDTV. You can reach out to him at mail[at]journalistjagmeet[dot]com.\t<\/p>\n<\/div>\n

\n\t\tView Bio <\/svg><\/a>\n\t<\/p>\n<\/div>\n

Read More<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A major McDonald\u2019s delivery system in India exposed the personal information of its customers and drivers due to several simple security flaws, TechCrunch has exclusively learned. The flaws, discovered by Traceable AI security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald\u2019s India (West & South), which is owned<\/p>\n","protected":false},"author":1,"featured_media":819286,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[182,5008],"tags":[5676,7030],"class_list":{"0":"post-819285","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-major","8":"category-mcdonalds","9":"tag-major","10":"tag-mcdonalds"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/819285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=819285"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/819285\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/819286"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=819285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=819285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=819285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}