McDonald’s India Delivery System Reportedly Exposed Personal Information of Customers Due to API Bug

The security flaws were first discovered by security researcher Eaton Zveare.

Written by Akash Dutta, Edited by Siddharth Suvarna | Updated: 19 December 2024 19:51 IST

McDonald’s India Delivery System Reportedly Exposed Personal Information of Customers Due to API Bug

Photo Credit: Reuters

McDonald’s India reportedly claimed that customer data was not breached as a result of the security flaws

Highlights

The bugs were found in the delivery system’s API
McDonald’s India West and South divisions were affected by the bugs
The vulnerabilities were found in July and were fixed in late September

McDonald's India reportedly left the personal data of its customers and drivers exposed due to a security flaw. As per the report, the vulnerabilities arose due to bugs in the application programming interface (API) of the restaurant franchise's delivery system. The entire McDonald's India West and South divisions were said to be affected by this security flaw that could let anyone access and hijack orders placed on the system. The bugs were reportedly first spotted in July and were fixed by late September.

McDonald's India Reportedly Had a Major Security Flaw

According to a TechCrunch report, the APIs of the delivery system used by the West and South divisions of McDonald's India, owned by Hardcastle Restaurants, were affected by several simple security flaws. These bugs were first discovered by security researcher Eaton Zveare, who revealed the details to the publication.

Due to the vulnerabilities, anyone with knowledge could reportedly access, hijack, redirect, or track orders in real-time. Bad actors could reportedly also place legitimate orders for $0.01 (roughly Rs. 0.85) by manipulating the delivery system's API.

[Sponsored] Samsung Galaxy S24: The Ultimate Camera Phone With Smarter On-Device AI

Notably, the delivery system is used for placing orders and tracking. It contains customer names, phone numbers, and addresses, as well as personal information of the delivery personnel such as vehicle numbers, profile pictures, location data, and more.

The open access to the API was reportedly caused as it was not properly monitoring that only the authorised people were placing orders and tracking the information. The vulnerabilities reportedly left the system open for an attack and would even let a potential hacker access invoices and submit feedback for delivered orders.

The security researcher is said to have reported the vulnerabilities to McDonald's India in July, and they were fixed in late September. The restaurant chain told TechCrunch that a thorough verification of the system and log data was conducted and it was determined that no security breach occurred as a result of the API bugs. McDonald's India reportedly also maintained that customer data was not accessed by anyone outside of the organisation.

While the restaurant chain did not reveal the number of customers whose personal information was exposed as a result of the security flaws, the researcher reportedly claimed that hundreds of millions of orders were exposed.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: McDonalds, India, Cybersecurity

Akash Dutta Email Akash Dutta

Akash Dutta is a Senior Sub Editor at Gadgets 360. He is particularly interested in the social impact of technological developments and loves reading about emerging fields such as AI, metaverse, and fediverse. In his free time, he can be seen supporting his favourite football club - Chelsea, watching movies and anime, and sharing passionate opinions on food. More