One of India’s most popular food delivery apps, McDonald’s McDelivery, was discovered to have critical vulnerability that could have been exploited for malicious purposes.
The flaws were identified by an ethical hacker who conducted a detailed investigation into the app, successfully uncovering a range of exploits that showcased significant lapses in API security.
The Vulnerability
The McDelivery system, developed by McDonald’s India (West & South) / Hardcastle Restaurants Pvt. Ltd., was found to have numerous flaws in its API, allowing unauthorized access to various functionalities. These exploits included:
- Ordering for ₹1: Users could manipulate the system to place orders for as little as ₹1 ($0.01 USD) by exploiting a vulnerability related to cart object price manipulation.
- Hijacking Orders: By carefully timing API requests, hackers could redirect another user’s order to their address, effectively stealing an order.
- Monitoring Deliveries: Real-time tracking of delivery drivers for any order was possible through the manipulation of API calls, exposing the rider’s location and sensitive personal information.
- Access to Sensitive Data: Users could retrieve the order details of others, download invoices, and even submit feedback on orders they didn’t place.
- Driver Information Leak: Personal details of delivery riders, such as their name, phone number, email, profile picture, and vehicle license plate number, were publicly accessible.
- Unauthorized Admin Data Access: A loophole allowed users to view admin Key Performance Indicator (KPI) reports without proper authorization.
The Investigation
The ethical hacker, leveraging techniques like Broken Object Level Authorization (BOLA) and Mass Assignment vulnerabilities, systematically uncovered the weaknesses in the McDelivery app.
Despite McDonald’s India using Angular a popular single-page application framework—and implementing basic authentication measures like JWT tokens, the systems fell short when it came to restricting user access to sensitive data properly.
One of the standout exploits involved manipulating the price of items in the cart. By altering the “price” parameter via the API, the hacker was able to place orders for a fraction of the original cost, bypassing server-side validation.
Another significant vulnerability allowed hackers to hijack in-progress orders. By modifying the assigned address ID or user ID of an order placed by another user, the hacker could redirect the delivery to their location, effectively stealing the food.
The investigation revealed alarming privacy risks. Drivers’ personal information, including their real-time location, was exposed. Moreover, invoices for any order could be accessed simply by changing the order ID in an API request.
“These vulnerabilities are not just technical flaws; they represent a real danger to user privacy and McDonald’s reputation,” the hacker noted in his report.
The ethical hacker compiled a comprehensive 24-page report detailing the exploits and submitted it to the McDelivery bug bounty program. To McDonald’s credit, their response was commendable. All vulnerabilities were fixed within the standard 90-day timeframe.
Although the responses were relatively slow, the company ensured that every reported issue was patched thoroughly. The hacker was awarded a bounty for their efforts.
McDonald’s India deserves recognition for having a bug bounty program that encourages ethical hackers to report vulnerabilities. Notably, McDonald’s USA does not have an official bug bounty program a fact that has drawn criticism from security professionals.
With over 10 million downloads on Google Play and a strong presence on the Apple App Store, McDelivery is a critical component of McDonald’s operations in India. This incident serves as a stark reminder of the importance of robust security practices in consumer-facing applications.
While the vulnerabilities have since been patched, this case highlights the need for continuous security assessments, especially for systems handling sensitive customer data and financial transactions. Companies must prioritize user safety and privacy, learning from this incident to avoid similar oversights.
For More Interesting Daily Cybersecurity Stores, Follow us on LinkedIn, X and Google News