TechCrunch has revealed critical security flaws in McDonald’s India (West & South) delivery system that exposed sensitive customer and driver information. Traceable AI security researcher Eaton Zveare identified these vulnerabilities in the APIs of the McDelivery platform, which powers both the app and website for McDonald’s India (West & South), operated by Hardcastle Restaurants.
The security flaws allowed unauthorized access to customer names, email addresses, and phone numbers, as well as vehicle details, profile pictures, and real-time locations of delivery drivers. Zveare also discovered that the bugs enabled anyone to hijack or redirect orders, track them in real-time, and even place legitimate orders for as little as $0.01. The issues stemmed from the API failing to validate user permissions adequately. Additionally, users could access invoices and submit feedback for orders, further demonstrating the extent of the vulnerabilities.
Zveare reported the flaws to McDonald’s India in July, and fixes were implemented by late September. In a blog post detailing the findings, Zveare noted that the delivery system’s APIs for both the mobile app and website were equally affected, leaving the entire platform exposed to potential exploits.
McDonald’s India assured that a “thorough verification of systems and logs” found no evidence of a customer data breach. “We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” said Sulakshna Mukherjee, a spokesperson for McDonald’s India (West & South), in a statement to TechCrunch.
The company did not disclose how many customers were affected, but Zveare estimated that hundreds of millions of orders were potentially exposed. This incident echoes a 2017 data leak when McDonald’s India (West & South) delivery app exposed the personal information of 2.2 million customers.