The McDelivery application leak.
This app is used by McDonald’s customers in India and it was found to be leaking the personal data of more than 2.2 million users.
McDelivery is a web application used by McDonald’s customers in India that was found to be leaking the personal information of more than 2.2 million users.
he issue was discovered by researchers at security startup Fallible, who discovered that the application was leaking user data, including names, email addresses, phone numbers, home addresses, home co-ordinates, and social profile links.
“The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which include name, email address, phone number, home address, accurate home co-ordinates and social profile links. ” reads the blog post published by Fallible.
The data leak in the McDelivery app is the result of an unprotected publicly accessible API endpoint that was designed to deliver user details, which is coupled with serially enumerable integers as customer IDs.
An attacker can exploit the issue to enumerate all the users of the application and access related data.
The application fails to check if the user ID requested via the API is the same user who has logged in. The user ID is a plain number that starts from 1 and can be enumerated by an attacker to retrieve data of the users.
The issue was reported on Feb. 7, and a Senior IT Manager at McDonald’s confirmed the vulnerability on Feb. 13. The company addressed the vulnerability last week, but according to the experts at Fallible, the fix was incomplete.
Read the full article from here