McDonalds India Allegedly Exposes Personal Data of 2.2 Million Users

An unprotected, publicly accessible API endpoint leaks everything from phone numbers to home addresses.

New Delhi: McDonald’s home-delivery mobile application does more than just help you get the company’s trademark burgers. According to cybersecurity start-up Fallible, security vulnerabilities in the Indian app potentially expose the personal data of than 2 million of its users.

“An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information,” Fallible, wrote in a blogpost on Saturday morning.

The leaked data includes, in some cases, the names, email addresses, phone numbers, home addresses, accurate home coordinates and social profile links of the fast-food restaurant’s users.

The app in question, called McDelivery by McDonalds, is a typical home-delivery app that allows Indian consumers to order their food, lets them pay online and allows them to track their order as well.

Under their responsible disclosure policy, Fallible reached out to the McDelivery team on February 4, 2017. A little more than week later it was acknowledged by a senior McDelivery IT manager who, according to sources, is based out of India.

However, more than a month later, the vulnerability still hasn’t been fixed.

At the moment, the security vulnerabilities only appear to limited to the India-only app. Although there is a similar McDelivery app for the United States, it doesn’t use the same insecure API endpoint which is currently leaking data.

The fast food giant is divided geographically in India (by two separate franchises). The security vulnerabilities of the app in question, and Fallible’s testing of it, appears to apply to the West & South region. According to sources, shortly after Fallible made it public, they were contacted by a senior official at McDonalds who have promised to fix the issue immediately.

When contacted, a McDonalds India spokesperson said that “as a precautionary measure, we would also urge our users to update the McDelivery app on their devices”.

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection,” the company said in a statement.

Spate of breaches

The McDonalds app vulnerability is the latest in a long line of  data breaches by numerous company and government applications. As The Wire has reported, one of the more prominent examples of poor API security include the Narendra Modi app.

As The Wire has reported and analysed in the past, the state of cybersecurity in India Inc and amongst large corporates is abysmal. There are no disclosure laws that require companies to state whether they have been breached or leaked the data of users through poor security measures.

Although Section 43A of the updated IT Act (2008) provides a clause for user compensation “if a body corporate… is negligent” in the handling of sensitive personal data, in actual practice these provisions are rarely used.