Update: McDonald’s India commented on the issue with the following statement advising customers to update their app.
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices.
At McDonald’s India, we are committed to our users’ data privacy and protection.”
Using the McDonald’s McDelivery app to place your orders from the fast food chain? Well, your personal data according to a blog post could be out there and up for grabs thanks to an unprotected publicly accessible API endpoint.
The information was revealed by Hackernoon a hacker blog which claims that the app is bleeding customer data that includes customer names, email addresses, phone numbers, accurate home addresses, coordinates and social profile links.
The information comes from a security research startup from Bengaluru called Fallible which claims that it contacted McDelivery on 7 February and even received acknowledgement about the loophole from Senior IT Managment on 13 February.
According to the post, the issue according to the security team still remains open and vulnerable despite “continued effort to get an update for the fix after the initial acknowledgement has failed.” The Fallible security team reached out to McDonalds under their responsible disclosure policy.
Fallible explains, “An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.”
The company claims that it has in the past found more than 50 such instances of data leaks in several Indian organisations.
In fact Falllible has even laid out the steps to reproduce the same on Hackernoon. We have reached out to McDonalds India for comment.
Publish date: March 18, 2017 1:52 pm| Modified date: March 18, 2017 6:28 pm