The McDelivery application used by McDonald’s customers in India was found to be leaking the personal data of more than 2.2 million users.
McDelivery is a web application used by McDonald’s customers in India that was found to be leaking the personal information of more than 2.2 million users.
The issue was discovered by researchers at security startup Fallible, who discovered that the application was leaking user data, including names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links.
“The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which include name, email address, phone number, home address, accurate home co-ordinates and social profile links. ” reads the blog post published by Fallible.
The data leak in the McDelivery app is the result of an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs.
and below a sample response to the curl request shared by the experts:
An attacker can exploit the issue to enumerate all the users of the application and access related data.
The application fails to check if the user ID requested via the API is the same user who has logged in. The user ID is a plain number that starts from 1 and can be enumerated by an attacker to retrieve data of the users.
The issue was reported on Feb. 7, and a Senior IT Manager at McDonald’s confirmed the vulnerability on Feb. 13. The company addressed the vulnerability last week, but according to the experts at Fallible, the fix was incomplete.
“The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.” continues the analysis.
Just after the release of the patch, McDonald’s published a statement on its Facebook page to announce the update and prompting users to update the application as soon as possible.
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis.” readsthe statement issued by McDonald’s. “As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.