- A researcher discovered a flaw in McDonald’s API that allowed them to hijack orders
- The vulnerability also leaked sensitive information
- Fixed in September 2024, but users still need to be careful
Flaws in India’s McDonald’s delivery system exposed Sensitive customer informationAnd allowed people to place fraudulent orders, experts claim.
Eaton Zveare, a cybersecurity researcher at Traceable AI, discovered a bug in the delivery system API of McDonald’s India (West and South).
The delivery system, apparently owned by a company called Hardcastle Restaurants, contained a vulnerability that exposed the names, email addresses and phone numbers of delivery customers. For drivers, it exposes vehicle numbers, profile pictures, and tracks the instant location of their deliveries. In addition, the vulnerability also allows people to instantly access, hijack, redirect or track orders. They can also place orders for as low as $0.01.
No record of data leakage
Zveare discovered the vulnerabilities in June 2024, and McDonald’s fixed them in September. No threat actors allegedly stumbled upon the vulnerability, and no customers were actually exposed.
McDonald’s India said “thorough verification of systems and logs” showed that the flaws did not lead to the leakage of its customer data.
McDonald’s India (West and South) spokesperson Sulakshna Mukherjee said: “We conduct regular audits and assessments, continuously strengthen our security measures and implement all necessary enhancements to ensure that all our systems All up to date and secure. TechCrunch.
While we don’t know exactly how many people are at risk due to this vulnerability, TechCrunch Told “hundreds of millions” of orders were exposed.
“The McDelivery (West & South) mobile app uses the exact same backend API as the website. As a result, both are vulnerable to the same attacks,” the researchers told the publication.
Due to different distribution systems in north and east India, these parts of the country were not affected and other countries were also safe.