McDonald’s India has reportedly encountered a significant security issue that left the personal information of customers and delivery personnel vulnerable due to a flaw in its systems. According to reports, the vulnerabilities stemmed from bugs within the application programming interface (API) used in the restaurant chain’s delivery operations, impacting its West and South divisions. This flaw potentially allowed unauthorized individuals to access, alter, and hijack orders placed within the system.
McDonald’s India Reportedly Had a Major Security Flaw
A report by TechCrunch highlighted the security flaws in the APIs utilized by McDonald’s India, which is operated by Hardcastle Restaurants. Security researcher Eaton Zveare was credited with identifying these vulnerabilities and shared the findings with the publication.
The discovered flaws enabled unauthorized users to access, hijack, redirect, and track orders in real-time. Additionally, individuals with malicious intent reportedly could manipulate the system to place legitimate orders for just $0.01 (approximately Rs. 0.85).
This delivery system, essential for order placement and tracking, holds sensitive information, including customer names, phone numbers, addresses, and personal details of delivery staff, such as vehicle numbers and location data.
The vulnerability was linked to inadequate monitoring processes within the API, which failed to ensure that only authorized users were able to place orders and access tracking information. This oversight left the system open to potential attacks, allowing unauthorized access to invoices and enabling feedback submissions for completed orders.
The security researcher informed McDonald’s India of the vulnerabilities in July, and the company implemented fixes by late September. In a statement to TechCrunch, McDonald’s India confirmed that a comprehensive review of the system and its log data was conducted, concluding that no actual data breach occurred linked to the API issues. The chain asserted that customer data had not been accessed by outsiders.
While the company did not disclose the exact number of affected customers, the researcher suggested that hundreds of millions of orders may have been compromised due to the security flaws.
