Security flaws in McDonald's India (West & South) delivery system have exposed significant vulnerabilities, potentially compromising the personal data of customers and drivers, according to a report via TechCrunch .

The issue was identified in the McDelivery service's application programme interfaces (APIs), which are critical for order processing and tracking.

The security flaws were discovered by Traceable AI security researcher Eaton Zveare, who found that the McDelivery APIs were not adequately verifying user permissions.

Zveare exclusively revealed to TechCrunch that flaws in the company’s delivery system, McDelivery, allowed unauthorised individuals to exploit its API.

This vulnerability enabled anyone to access, hijack, or redirect orders, track them in real time, or even place legitimate orders for just $0.01.

The issue stemmed from the API's failure to properly verify whether the person making the requests was authorised to do so. The bugs also granted access to invoices and allowed unauthorised feedback submissions for customer orders.

The security gaps have reportedly compromised the privacy of customers of McDonald’s India (West & South), which is owned by Hardcastle Restaurants, by exposing their personal details.

The researcher reported the vulnerabilities to the fast-food chain in July 2024. McDonald’s addressed and rectified the flaws by late September.

Despite the potential risks, McDonald's India told Tech Crunch that a “thorough verification of systems and logs” has not indicated any breach of customer data.

The company has not released any information regarding the number of customers who might have been affected by the exposure.

Zveare's findings suggest that the security flaws could have exposed access to “hundreds of millions of orders”.

This incident is not the first instance of data security concerns for McDonald’s India; in 2017, approximately 2.2 million customers' personal information was leaked through the company's delivery app.

In early 2024, McDonald's faced regulatory challenges when the Food and Drug Administration in the state of Maharashtra suspended the licence of an Ahmednagar outlet for using cheese substitutes without adequate disclosure.

"Security flaws in McDonald’s India reportedly exposed customer data" was originally created and published by Verdict Food Service , a GlobalData owned brand.



The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.

OK