- A researcher discovered a flaw in a McDonalds API that allowed them to hijack orders
- The bug also leaked sensitive information
- The issue was resolved in September 2024, but users should still exercise caution
A delivery system for McDonalds in India was flawed in a way that exposed sensitive customer information and allowed people to place fraudulent orders, experts claim.
Cybersecurity researcher Eaton Zveare of Traceable AI, who found a bug in the API of the delivery system in McDonalds India (West & South).
The delivery system, which apparently belongs to a company called Hardcastle Restaurants, contained a vulnerability that exposed the names, email addresses and phone numbers of delivery customers. Vehicle numbers and profile photos became visible to drivers and the real-time location of their deliveries was tracked. Additionally, the bug allowed people to access, hijack, redirect, or track orders in real time. They can also place orders for as little as $0.01.
No data breach has been registered
Zveare discovered the vulnerabilities in June 2024 and McDonalds fixed them in September. Reportedly, no threat actors encountered this bug and no customers were actually exposed.
McDonald’s India said a “thorough verification of systems and logs” showed the errors did not result in a breach of customer data.
“We conduct regular audits and assessments to continuously strengthen our security measures, and have implemented all necessary improvements so that all our systems are up to date and secure,” said Sulakshna Mukherjee, a spokesperson for McDonald’s India (West & South) , in a statement emailed to TechCrunch.
While we don’t know exactly how many people have been put at risk by the bug, TechCrunch was told that “hundreds of millions” of orders had been made public.
“The McDelivery (West & South) mobile app uses the exact same back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication.
Since the delivery system for India North and East is different, these parts of the country are not affected and other countries are also safe.