McDonald’s India reportedly left behind personal data from its customers and drivers exposed due to safety defects. According to the report, the vulnerability was caused by a bug in the Application Programming Interface (API) of the Restaurant Franchise Delivery System. It is said that the entire McDonald’s department in western and southern India is affected by this security flaw that allows anyone to access and hijack commands on the system. The bugs were reportedly first discovered in July and were repaired in late September.
McDonald’s India reportedly has a major security flaw
According to a report by TechCrunch, Hardcastle Restaurant’s API for delivery systems used by McDonald’s Western and Southern India departments has been affected by several simple security flaws. The errors were initially discovered by security researcher Eaton Zveare, who revealed details to the publication.
Due to vulnerability, it is reported that anyone with knowledge can access, hijack, redirect or track orders in real time. Bad actors can also report that they can place legal orders through the API that manipulates the delivery system, at a price of USD 0.01 (approximately Rs 0.85).
It is worth noting that the delivery system is used to place orders and track. It contains customer name, phone number and address, as well as personal information of the delivery person, such as vehicle number, profile picture, location data, etc.
It is reported that open access to the API is due to inability to monitor correctly, that is, only authorized personnel place orders and track information. These vulnerabilities reportedly open the system to attack, and even allow potential hackers to access invoices and submit feedback on delivered orders.
The security researcher is said to have reported McDonald’s India’s vulnerability in July and fixed it in late September. The restaurant chain told TechCrunch that it thoroughly verified the system and log data and determined that no security vulnerabilities occurred due to API errors. McDonald’s India also reportedly insists that no one outside the organization has access to customer data.
While the restaurant chain did not disclose the amount of personal information exposed due to security flaws, researchers reportedly claimed hundreds of millions of orders had been made public.
