McDonald’s Food Chain - 2.2 Million INDIAN Customer Records Leaked by McDelivery Web App

The world famous American hamburger and fast food chain McDonald's is using McDelivery named web application to deliver orders in INDIA. A security vulnerability has been discovered by security researchers at Fallible (A Security Start Up) in this McDelivery web application. According to security researchers, it is possible to dump a huge collection of 2.2 Million personal accounts of INDIAN McDonald Customers by exploiting this vulnerability.

What is the Vulnerability?

The security vulnerability resides in an unprotected publicly accessible API endpoint. This API had been designed by the developers to deliver user details which are further coupled with serially enumerable integers. These integers are the Customer ids of McDonald’s customers. An attacker could exploit this API by writing some malicious scripts to access the personal information of all 2.2 Million customers. In simple words we can say, the McDelivery Web App is not capable of identifying that the person who is logged in is the same person who was logged in at the starting. The web app is not checking the user ID requested by API. The user ID is in plain numeric text so an attacker can easily manipulate the API to retrieve data of the users.

The security firm Fallible published a blog post last week, to tell that McDelivery Web Application of McDonald’s is hackable and it is leaking 2.2 Million personal records of INDIAN customers. The leaked information include Full Name, Phone Number, Social Profile Links, Email Address, Home Coordinates and Full Residential Address. The Fallible had already reported this vulnerability to McDonald’s.

Patched or Not?

According to Fallible, they reported this security issue to McDonald’s on February 7, 2017. After a week they got an email from the senior IT Manager of McDonald’s in which he wrote that this vulnerability has been patched by our team. After that, the security researchers again tried the same exploit and successfully got the access of all 2.2 Million records. The Fallible reported again but didn’t get any reply.

On 7th March and 17th March the Fallible sent an email to know the status of the security patch but again McDonald’s don’t give a reply. It means the security vulnerability of McDelivery web app is still unpatched. The companies are not taking the security of customer data as a priority. As this web app is leaking all the personal data, hackers could scam the McDonald’s customers through social media and email phishing campaigns.

Also Read: