The security flaws were first discovered by security researcher Eaton Zveare.
McDonald’s India reportedly claimed that customer data was not breached as a result of the security flaws
Photo Credit: Reuters
McDonald's India reportedly left the personal data of its customers and drivers exposed due to a security flaw. As per the report, the vulnerabilities arose due to bugs in the application programming interface (API) of the restaurant franchise's delivery system. The entire McDonald's India West and South divisions were said to be affected by this security flaw that could let anyone access and hijack orders placed on the system. The bugs were reportedly first spotted in July and were fixed by late September.
According to a TechCrunch report, the APIs of the delivery system used by the West and South divisions of McDonald's India, owned by Hardcastle Restaurants, were affected by several simple security flaws. These bugs were first discovered by security researcher Eaton Zveare, who revealed the details to the publication.
Due to the vulnerabilities, anyone with knowledge could reportedly access, hijack, redirect, or track orders in real-time. Bad actors could reportedly also place legitimate orders for $0.01 (roughly Rs. 0.85) by manipulating the delivery system's API.
Notably, the delivery system is used for placing orders and tracking. It contains customer names, phone numbers, and addresses, as well as personal information of the delivery personnel such as vehicle numbers, profile pictures, location data, and more.
The open access to the API was reportedly caused as it was not properly monitoring that only the authorised people were placing orders and tracking the information. The vulnerabilities reportedly left the system open for an attack and would even let a potential hacker access invoices and submit feedback for delivered orders.
The security researcher is said to have reported the vulnerabilities to McDonald's India in July, and they were fixed in late September. The restaurant chain told TechCrunch that a thorough verification of the system and log data was conducted and it was determined that no security breach occurred as a result of the API bugs. McDonald's India reportedly also maintained that customer data was not accessed by anyone outside of the organisation.
While the restaurant chain did not reveal the number of customers whose personal information was exposed as a result of the security flaws, the researcher reportedly claimed that hundreds of millions of orders were exposed.
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.