This is published under our responsible disclosure policy
UPDATE2: The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.
UPDATE1: McDonald’s India has replied to us that they have fixed the issue and would be releasing an official statement urging their users to upgrade the app.
The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links. We contacted McDelivery on 7th Feb and received an acknowledgement from a Senior IT Manager on 13th Feb (33 days ago). The issue has not been fixed yet and our continued effort to get an update for the fix after the initial acknowledgement has failed.
An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.
The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore has led to companies ignoring user data protection. There is a similar lack of push from non-government organisations to improve this scenario. We have in the past discovered more than 50 instances of data leaks in several Indian organisations. In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs.
A sample response to the curl request:
- 4th Feb’17 — Fallible reported the issue to McDelivery
- 13th Feb’17 — Issue acknowledged by McDelivery IT Manager.
- 7th March’17 — Fallible sent an email asking about the status, no reply from McDelivery.
- 17th March’17 — Fallible sent another email; No response from McDelivery;
- 18th March’17 — No response yet. McDelivery users are still vulnerable. Public disclosure.