McDelivery is a web application used by McDonald’s customers in India that was found to be leaking the personal information of more than 2.2 million users.
The issue was discovered by researchers at security startup Fallible, who discovered that the application was leaking user data, including names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links.
“The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which include name, email address, phone number, home address, accurate home co-ordinates and social profile links. ” reads the blog post published by Fallible.
The data leak in the McDelivery app is the result of an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs.
The API Endpoint is:
and below a sample response to the curl request shared by the experts:
An attacker can exploit the issue to enumerate all the users of the application and access related data.
The application fails to check if the user ID requested via the API is the same user who has logged in. The user ID is a plain number that starts from 1 and can be enumerated by an attacker to retrieve data of the users.
The issue was reported on Feb. 7, and a Senior IT Manager at McDonald’s confirmed the vulnerability on Feb. 13. The company addressed the vulnerability last week, but according to the experts at Fallible, the fix was incomplete.
“The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.” continues the analysis.
Just after the release of the patch, McDonald’s published a statement on its Facebook page to announce the update and prompting users to update the application as soon as possible.
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis.” reads the statement issued by McDonald’s. “As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,”
(Security Affairs – McDelivery , hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.