The flaws discovered by security researcher Eaton Zveare of Traceable AI were found in the company’s API used for order placement and tracking
Zveare claimed to have reported the issue to the company in July, after which he said the vulnerability was fixed by late September
However, McDonald’s India said that its internal checks found no breach of customer data
A security vulnerability in McDonald’s India’s delivery system, McDelivery, allegedly exposed the personal data of its customers and delivery drivers.
The flaws discovered by security researcher Eaton Zveare of Traceable AI were found in the company’s API used for order placement and tracking.
The development was first reported by TechCrunch.
Zveare claimed to have reported the issue to McDonald’s India in July, after which he said the company fixed the vulnerability by late September.
The incident happened in McDonald’s ‘West & South India’ franchisee, which is operated by Hardcastle Restaurants Private Limited (HRPL), Zveare said in a blog post.
However, McDonald’s India told TechCrunch that its internal checks found no breach of customer data.
“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” the company told the publication.
Zveare highlighted the issues in the blog post published on Friday (December 19). Below are the key concerns outlined by Zveare:
- Orders For INR 1: Exploits enabled users to modify prices and place orders for as low as INR 1.
- Order Hijacking: Delivery orders could be redirected to different addresses through carefully timed API manipulations.
- Personal Data Exposure: Information like names, phone numbers, and vehicle details of delivery drivers was accessible.
- Real-Time Tracking: Unauthorised tracking of delivery riders’ live locations was possible.
- Invoice & Feedback Access: Users could download invoices or submit feedback for orders they didn’t place.
- Admin Data Access: Limited access to internal admin reports was also possible through API flaws.
Notably, cybersecurity lapses is a growing concern in India. Most recently, ride hailing major Rapido reportedly leaked the personal information of its users and drivers due to a security issue with a feedback form.
The personal data was exposed due to a flaw with a website form which collected feedback from Rapido rickshaw users and drivers.
Meanwhile, personal data of millions of Star Health’s customers was leaked on Telegram in September this year. Data of Star Health customers such as policy and claim documents, including names, contact info, addresses, tax details, copies of ID cards, test results and medical diagnosis was reportedly available for download on the Telegram app.
Comments are closed.