McDonald’s India Delivery System Reportedly Exposed Personal Information of Customers Due to API Bug

Share

McDonald’s India reportedly left the personal data of its customers and drivers exposed due to a security flaw. As per the report, the vulnerabilities arose due to bugs in the application programming interface (API) of the restaurant franchise’s delivery system. The entire McDonald’s India West and South divisions were said to be affected by this security flaw that could let anyone access and hijack orders placed on the system. The bugs were reportedly first spotted in July and were fixed by late September.

McDonald’s India Reportedly Had a Major Security Flaw

According to a TechCrunch report, the APIs of the delivery system used by the West and South divisions of McDonald’s India, owned by Hardcastle Restaurants, were affected by several simple security flaws. These bugs were first discovered by security researcher Eaton Zveare, who revealed the details to the publication.

Due to the vulnerabilities, anyone with knowledge could reportedly access, hijack, redirect, or track orders in real-time. Bad actors could reportedly also place legitimate orders for $0.01 (roughly Rs. 0.85) by manipulating the delivery system’s API.

Notably, the delivery system is used for placing orders and tracking. It contains customer names, phone numbers, and addresses, as well as personal information of the delivery personnel such as vehicle numbers, profile pictures, location data, and more.

The open access to the API was reportedly caused as it was not properly monitoring that only the authorised people were placing orders and tracking the information. The vulnerabilities reportedly left the system open for an attack and would even let a potential hacker access invoices and submit feedback for delivered orders.

The security researcher is said to have reported the vulnerabilities to McDonald’s India in July, and they were fixed in late September. The restaurant chain told TechCrunch that a thorough verification of the system and log data was conducted and it was determined that no security breach occurred as a result of the API bugs. McDonald’s India reportedly also maintained that customer data was not accessed by anyone outside of the organisation.

While the restaurant chain did not reveal the number of customers whose personal information was exposed as a result of the security flaws, the researcher reportedly claimed that hundreds of millions of orders were exposed.