McDelivery, the app launched by fast food chain McDonald’s is leaking personal data of millions of users, because it left a gaping security hole in the system.
FactorDaily reached out to an information security expert who replicated the issue within a few minutes. According to Fallible, an unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.
Application program interface (API) is a set of rules or protocols that tell software components how to interact with each other. So when the app requires customer data from the database, it sends a specific set of instructions to the database through what is called an API call. The database then returns the information to the app.
In this case, the API has been left open. Which means, practically anyone can send an API call to the database to get user information. Now if you want to scrape all of McDelivery user data, you can automate this process and send repeated API calls to the database and store the information.
Fallible says that it reached out to McDelivery last month and received an acknowledgement from a senior IT manager a week later. It’s been more than a month but the security hole still exists. Unfortunately, Fallible has also left screenshots on the post, making it easy for anyone with basic programming knowledge to steal user data. In the information security circles, this would fall right into the category of “irresponsible disclosure.”
Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.