McDonald’s India Delivery System Exposed Customer and Driver Data Due to API Vulnerabilities
McDonald’s India faced a major security flaw in its delivery system API, potentially exposing customer and driver data. The vulnerabilities were fixed after being flagged by a security researcher.
McDonald’s India reportedly suffered a significant security lapse in its delivery system, leaving sensitive customer and driver data exposed. The issue stemmed from vulnerabilities in the application programming interface (API) of the system used by McDonald’s India’s West and South divisions, operated by Hardcastle Restaurants.
The flaws, first identified in July by security researcher Eaton Zveare, were resolved by late September, according to a report by TechCrunch.
Details of the Security Flaw
The vulnerabilities reportedly allowed unauthorized access to customer and driver information, including names, phone numbers, delivery addresses, vehicle details, profile pictures, and real-time location data. The API flaws also enabled bad actors to intercept, redirect, and track orders in real-time. Shockingly, attackers could manipulate the system to place legitimate orders for as little as $0.01 (roughly ₹0.85).
The open access was attributed to insufficient API security measures, which failed to restrict order placement and data tracking to authorized users. Beyond exposing personal information, the flaws allowed potential hackers to access invoices and submit feedback on delivered orders.
Response from McDonald’s India
The vulnerabilities were reported to McDonald’s India in July, and the company took action to fix them by late September. In a statement to TechCrunch, McDonald’s India emphasized that a thorough system review and log analysis were conducted, confirming that no security breaches or unauthorized access to customer data occurred.
However, while McDonald’s India declined to disclose the number of customers potentially affected, Eaton Zveare estimated that hundreds of millions of orders could have been exposed during the vulnerability period.
Implications for Customer Data Security
This incident underscores the critical importance of robust API security measures in protecting sensitive customer and employee data. Despite assurances from McDonald’s India, the potential exposure of millions of orders serves as a stark reminder of the vulnerabilities inherent in digital delivery systems.
As businesses increasingly rely on digital platforms, the need for regular security audits and proactive measures to mitigate risks remains paramount.
What's Your Reaction?
