A McDonalds app in India is found to be leaking user information, even after a fix has been implemented.
Ok my fellow Americans. I feel cheated. It seems that in India, as well as many other countries, you can have McDonalds delivered. Imagine that. Not having to wait for long periods of time in drive-thru only to receive the wrong order.
I could receive the wrong order in the comfort of my own home!
Well, perhaps I’m not quite jealous. Security researchers at Fallible have discovered there is a bug in the system. This bug is leaking the information of users of the web app McDelivery. Fallible states that it is a “trivial” error and could “have been fixed in a day at max”. But it wasn’t.
Fallible discovered and reported the error on February 7th. Fallible received an acknowledgment from McDonalds on February 13. But the issue was not addressed until last week. Not only that, it wasn’t really fixed in the update. The issue is still there.
This bug, due to an unprotected publicly accessible API, allows a frightening amount of user information to be leaked. Information such as names, email addresses, phone numbers, home addresses, home co-ordinates and profile links are easily obtainable by malicious actors.
McDonalds made the statement: “We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices.”
It seems McDonalds India has a very strange definition of “safe to use”. The fact that financial information isn’t at risk, should do nothing to ease the fears of users. The web app is leaking more than enough information for malicious attackers to utilize.