Summarize

Simplifying... Inshort

Security flaws in McDonald's India's delivery system, McDelivery, reportedly exposed customer and driver data, including names, emails, phone numbers, and real-time location.
The vulnerabilities, discovered in July 2024 and fixed by September, could have allowed unauthorized access to orders and personal data.
Despite these flaws, McDonald's India maintains that no customer data was breached.

Was a long read? Making it simpler...

Next Article

The vulnerabilities were discovered by a cybersecurity researcher

Flawed delivery system of McDonald's India exposed customer data: Report

By Akash Pandey

Dec 19, 2024

06:35 pm

What's the story

McDonald's India (West & South) recently suffered a major security issue with its delivery system, McDelivery. TechCrunch now reports that the system had several security flaws that may have exposed the personal data of customers and drivers alike. These vulnerabilities were discovered by Eaton Zveare, a cybersecurity researcher, in the application programming interfaces (APIs) used by McDelivery. The compromised APIs are linked to Hardcastle Restaurants, which owns McDonald's India (West & South).

API vulnerabilities

Security flaws allowed unauthorized access and manipulation

Zveare told TechCrunch that the security flaws in McDelivery's APIs could have let unauthorized people access, hijack, redirect, or track orders in real time. They could even place legit orders for just $0.01. This was possible because the API wasn't properly verifying if the person making requests had permission to do so. Plus, these bugs even opened access to invoices and submission of feedback on customer orders.

Data exposure

Personal data of customers and drivers exposed

The security flaws in McDelivery's system are said to have exposed sensitive information like full names, email addresses, and phone numbers of McDonald's India (West & South) customers. They also gave access to vehicle numbers, profile pictures, and real-time location tracking of the restaurant chain's drivers delivering orders. Zveare discovered these vulnerabilities in July 2024 and reported them to McDonald's India (West & South). The issues were fixed by late September 2024, the researcher says.

Company response

McDonald's India claims no customer data was breached

Responding to the security flaws, McDonald's India (West & South) said a thorough verification of systems and logs showed no breach of customer data. "We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up-to-date and secure," Sulakshna Mukherjee, a spokesperson for McDonald's India (West & South) told TechCrunch. The company also didn't reveal how many customers' information may have been exposed due to these bugs.

Order exposure

Issue opened access to hundreds of millions of orders

Though McDonald's India (West & South) didn't disclose the number of possibly affected customers, Zveare told TechCrunch the security flaws opened access to hundreds of millions of orders. "The McDelivery (West & South) mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits," Zveare told TechCrunch. This isn't an isolated incident for McDonald's India as in 2017, its delivery app leaked personal information of approximately 2.2 million customers.