- A researcher found a flaw in a McDonalds API that allowed them to hijack orders
- The bug also leaked sensitive information.
- Fixed in September 2024, but users should still be careful
A McDonald’s delivery system in India had flaws that exposed sensitive customer information and allowed people to place fraudulent orders, experts said.
Cybersecurity researcher Eaton Zveare of Traceable AI, who found a bug in the delivery system API at McDonalds India (west and south).
The delivery system, which is apparently owned by a company called Hardcastle Restaurants, had a vulnerability that exposed the names, email addresses, and phone numbers of delivery customers. For drivers, it exposed vehicle numbers, profile photos and tracked the real-time location of their deliveries. Additionally, the bug allowed people to access, hijack, redirect, or track orders in real time. They could also place orders for as little as $0.01.
No data breach was recorded
Zveare found the vulnerabilities in June 2024 and McDonalds fixed them in September. It appears that no threat actors encountered this bug and no customers were actually exposed.
McDonald’s India said a “thorough check of systems and records” showed that the failures did not result in a breach of its customers’ data.
“We conduct regular audits and assessments to continually strengthen our security measures and implement all necessary improvements, ensuring that all our systems are up-to-date and secure,” McDonald’s India (West and South) spokesperson Sulakshna Mukherjee said in a statement sent by email to TechCrunch.
While we don’t know exactly how many people were at risk due to the bug, TechCrunch He was told that “hundreds of millions” of orders were exposed.
“The McDelivery (West & South) mobile app uses exactly the same back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication.
Since the delivery system for North and East India is different, these parts of the country were not affected and other countries are also safe.
