A critical security vulnerability in the McDelivery system operated by McDonald’s India (West & South) left the personal data of countless customers and delivery drivers exposed. Discovered by security researcher Eaton Zveare of Traceable AI, the flaws originated from improper API authentication, allowing unauthorized access to sensitive accounts and real-time tracking systems.
API Vulnerabilities and Order Hijacking
The security gaps, which affected both the McDelivery mobile application and the official website, stemmed from an API that failed to verify user authorization. This oversight granted attackers the ability to:
- Access, hijack, or redirect active customer orders.
- Track delivery drivers in real-time.
- Place unauthorized orders for as little as $0.01.
- Retrieve customer invoices and manipulate feedback submissions.
Exposure of Personal and Professional Data
The breach of security protocols compromised a significant volume of private information. For customers, this included full names, email addresses, and phone numbers. For delivery personnel, the vulnerabilities exposed vehicle license plate numbers, profile imagery, and precise GPS location data during active shifts. According to Zveare, the flaws potentially provided access to hundreds of millions of past and present orders.
Timeline of Discovery and Patching
Zveare identified these vulnerabilities and disclosed them to the restaurant chain in July. Following the notification, the company implemented fixes in late September. The researcher detailed the technical specifics of these vulnerabilities in a technical blog post published after the patches were confirmed.
Corporate Response and Historical Context
McDonald’s India (West & South) maintains that no actual data breach occurred. Sulakshna Mukherjee, a spokesperson for the company, stated that a “thorough verification of systems and logs” suggested the data remained secure. The company emphasized its commitment to ongoing security audits and system enhancements to protect its digital infrastructure.
This incident marks another security challenge for the franchise in India. In 2017, the same entity faced a significant data leak involving the personal information of approximately 2.2 million customers, highlighting a recurring struggle with digital privacy and system integrity.