McDonalds delivery customers put at risk by possible data breach

LovabledanielsDecember 23, 202475 Views

A researcher found a flaw in a McDonalds API which allowed them to hijack orders
The bug also leaked sensitive information
It was fixed in September 2024, but users should still be careful

A delivery system for McDonalds in India was flawed in a way that exposed sensitive customer information, and allowed people to make fraudulent orders, experts hae claimed.

Cybersecurity researcher Eaton Zveare from Traceable AI, who found a bug in the API of the delivery system in McDonalds India (West & South).

The delivery system, which is apparently owned by a company called Hardcastle Restaurants, had a vulnerability which exposed delivery customer names, email addresses, and phone numbers. For the drivers, it exposed vehicle numbers, profile pictures, and tracked real-time location of their deliveries. Besides, the bug allowed people to access, hijack, redirect, or track orders in real-time. They could also make orders for as little as $0.01.

No data breach recorded

Zveare found the vulnerabilities in June 2024, and McDonalds fixed it in September. Allegedly, no threat actors stumbled upon this bug, and no customers were actually exposed.

McDonald’s India said a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.

While we don’t know exactly how many people were put at risk through the bug, TechCrunch was told “hundreds of millions” of orders were exposed.

“The McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication.

Since the delivery system for India North & East is different, these parts of the country were not affected, and other countries are safe, too.

Weekly update

UK Prices for LG’s 2025 QNED TVs are live, and Samsung should be worried

ChatGPT could have multiple preset personalities for you to interact with in the future, to help combat its sycophantic personality problem

Skylar Diggins Files For Divorce From Husband Of 8 Years

Weekly Newsletter

McDonalds delivery customers put at risk by possible data breach

Leave a comment

Leave a Reply Cancel reply

Explore more

ChatGPT could have multiple preset personalities for you to interact with in the future, to help combat its sycophantic personality problem

Skylar Diggins Files For Divorce From Husband Of 8 Years

TikTok hit by a €530 million fine in the EU for illegally sending Europeans’ data to China

I took my Meta Quest 3 on a 3,000-mile flight so you don’t have to – here’s what I learned

Best Star Wars Day 2025 Deals – Shop new Lego sets, Funko Pops, Galaxy-themed tech, and more for May the 4th

You can now fact check anybody’s post in WhatsApp – here’s how

US asks judge to break up Google’s ad tech business

Spotify updates iOS app in record time with new pricing options – leaving fans wondering why other fixes are taking so long

Get to Know Us

Let's keep in touch