McDonald’s McDelivery app leaks details of over 2.2 million customers

Pierluigi Paganini March 21, 2017

The McDelivery application used by McDonald’s customers in India was found to be leaking the personal data of more than 2.2 million users.

McDelivery is a web application used by McDonald’s customers in India that was found to be leaking the personal information of more than 2.2 million users.

mcdelivery

The issue was discovered by researchers at security startup Fallible, who discovered that the application was leaking user data, including names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links.

“The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which include name, email address, phone number, home address, accurate home co-ordinates and social profile links. ” reads the blog post published by Fallible.

The data leak in the McDelivery app is the result of an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs.

The API Endpoint is:

http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile

and below a sample response to the curl request shared by the experts:

An attacker can exploit the issue to enumerate all the users of the application and access related data.

The application fails to check if the user ID requested via the API is the same user who has logged in. The user ID is a plain number that starts from 1 and can be enumerated by an attacker to retrieve data of the users.

The issue was reported on Feb. 7, and a Senior IT Manager at McDonald’s confirmed the vulnerability on Feb. 13. The company addressed the vulnerability last week, but according to the experts at Fallible, the fix was incomplete.

“The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.” continues the analysis.

Just after the release of the patch, McDonald’s published a statement on its Facebook page to announce the update and prompting users to update the application as soon as possible.

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis.” reads the statement issued by McDonald’s. “As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,” 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – McDelivery , hacking)



you might also like

leave a comment