Your data is not safe if you use McDonald’s India app because there’s a gaping security hole in it

Jayadevan PK March 18, 2017 1 min

McDelivery, the app launched by fast food chain McDonald’s is leaking personal data of millions of users, because it left a gaping security hole in the system.

FactorDaily reached out to an information security expert who replicated the issue within a few minutes. According to Fallible, an unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.

The vulnerability was spotted by cyber security firm Fallible and published on Hackernoon first (h/t @aparatbar).

Application program interface (API) is a set of rules or protocols that tell software components how to interact with each other. So when the app requires customer data from the database, it sends a specific set of instructions to the database through what is called an API call. The database then returns the information to the app.

In this case, the API has been left open. Which means, practically anyone can send an API call to the database to get user information. Now if you want to scrape all of McDelivery user data, you can automate this process and send repeated API calls to the database and store the information.

Fallible says that it reached out to McDelivery last month and received an acknowledgement from a senior IT manager a week later. It’s been more than a month but the security hole still exists. Unfortunately, Fallible has also left screenshots on the post, making it easy for anyone with basic programming knowledge to steal user data. In the information security circles, this would fall right into the category of “irresponsible disclosure.”


Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.