Cyber Crime
McDonald’s India Fixes Critical Bug in Delivery System, Ensures Customer Data Security
A significant security flaw in McDonald’s India’s delivery system (West and South) recently came to light, exposing sensitive information of thousands of customers and delivery partners. This vulnerability included personal details such as full names, phone numbers, and email addresses, among others.
Vulnerability Details
As reported by TechCrunch, the issue was identified by security researcher Eaton Zveare, who discovered a critical bug in McDonald’s API. The flaw allowed unauthorized access to real-time order tracking and redirection. Additionally, hackers could exploit the API to place legitimate orders for as little as $0.01 or ₹0.85 by manipulating the API used across McDonald’s website, mobile apps, and other delivery platforms.
The vulnerability extended beyond customers, exposing data such as vehicle numbers, profile pictures, and real-time tracking information of delivery partners. The bug also permitted unauthorized access to invoices and enabled individuals to submit feedback on customer orders.
While the exact scale of the exposure remains unclear, the report suggests that the flaw potentially compromised data linked to hundreds of millions of orders.
McDonald’s Response
The security flaw, discovered in July, was addressed and fixed by McDonald’s India by late September. In a statement to the publication, McDonald’s India acknowledged the issue but assured that an internal investigation found no evidence of a data breach.
ALSO READ: Nominate Top Cyber Journalists for FutureCrime Summit 2025 Awards
Recurring Security Challenges
This is not the first time McDonald’s India has faced such challenges. In 2017, a similar vulnerability in its delivery app exposed the personal information of 2.2 million customers, including names, home addresses, and phone numbers. The company addressed the issue by updating the app and encouraging customers to install the revised version.
Conclusion
The recent incident underscores the importance of robust cybersecurity measures, especially for platforms managing sensitive customer and partner data. While McDonald’s India has resolved the issue, it serves as a reminder for businesses to regularly audit their digital infrastructure to prevent such occurrences and maintain customer trust.
