McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher

McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher

SUMMARY

The flaws discovered by security researcher Eaton Zveare of Traceable AI were found in the company’s API used for order placement and tracking

Zveare claimed to have reported the issue to the company in July, after which he said the vulnerability was fixed by late September

However, McDonald’s India said that its internal checks found no breach of customer data

A security vulnerability in McDonald’s India’s delivery system, McDelivery, allegedly exposed the personal data of its customers and delivery drivers. 

The flaws discovered by security researcher Eaton Zveare of Traceable AI were found in the company’s API used for order placement and tracking. 

The development was first reported by TechCrunch. 

Zveare claimed to have reported the issue to McDonald’s India in July, after which he said the company fixed the vulnerability by late September. 

The incident happened in McDonald’s ‘West & South India’ franchisee, which is operated by Hardcastle Restaurants Private Limited (HRPL), Zveare said in a blog post. 

However, McDonald’s India told TechCrunch that its internal checks found no breach of customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” the company told the publication. 

Zveare highlighted the issues in the blog post published on Friday (December 19). Below are the key concerns outlined by Zveare:

  • Orders For INR 1: Exploits enabled users to modify prices and place orders for as low as INR 1.

  • Order Hijacking: Delivery orders could be redirected to different addresses through carefully timed API manipulations.

  • Personal Data Exposure: Information like names, phone numbers, and vehicle details of delivery drivers was accessible.

  • Real-Time Tracking: Unauthorised tracking of delivery riders’ live locations was possible.

  • Invoice & Feedback Access: Users could download invoices or submit feedback for orders they didn’t place.

  • Admin Data Access: Limited access to internal admin reports was also possible through API flaws.

Notably, cybersecurity lapses is a growing concern in India. Most recently, ride hailing major Rapido reportedly leaked the personal information of its users and drivers due to a security issue with a feedback form.

The personal data was exposed due to a flaw with a website form which collected feedback from Rapido rickshaw users and drivers.

Meanwhile, personal data of millions of Star Health’s customers was leaked on Telegram in September this year. Data of Star Health customers such as policy and claim documents, including names, contact info, addresses, tax details, copies of ID cards, test results and medical diagnosis was reportedly available for download on the Telegram app.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become A Startup Insider With Inc42 Plus

Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in india's startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher-Inc42 Media
McDonald’s India’s Delivery System Exposed Customer Data, Says Researcher-Inc42 Media
You’re in Good company