McDonald’s India has leaked customer and delivery person data due to a vulnerability in an API (Application Programming Interface) used. In addition, it was possible to hijack customer orders, place orders for just one cent, provide feedback on other customers’ orders, view details of each order, and download invoices. This involved the name, email address, and telephone numbers of customers. For delivery drivers, it also concerned their license plate number and profile photo.
Security researcher Eaton Zveare discovered that the API used by McDonald’s West and South India was vulnerable to Insecure Direct Object Reference (IDOR). Adjusting just the Order ID was sufficient to view information from other orders. For example, IDOR occurs when a web application or API uses an identifier to query an object in a database without authentication or other form of access control.
In addition, Zveare discovered a way to adjust the total price when placing online orders, as well as to hijack orders already placed by others and have them delivered to a different address. The investigator alerted McDonald’s on July 20. On September 29, all problems were resolved and Zveare received a $240 gift card. McDonald’s informed the researcher that no exploitation of the API vulnerabilities has been observed.
In short:
Issue | Details |
---|---|
Data Leak | Exposed customer and delivery person data due to an API vulnerability. |
Customer Information | Included names, email addresses, phone numbers, and for delivery drivers, license plates and profile photos. |
API Vulnerability | Insecure Direct Object Reference (IDOR) allowed unauthorized access to customer orders. |
Exploitation Possibilities | Allowed hijacking orders, placing orders for $0.01, and altering total prices. |
Resolution | Issues reported on July 20, resolved by September 29; researcher awarded a $240 gift card. |