A researcher found a flaw in a McDonalds API which allowed them to hijack orders

The bug also leaked sensitive information

It was fixed in September 2024, but users should still be careful

A delivery system for McDonalds in India was flawed in a way that exposed sensitive customer information, and allowed people to make fraudulent orders, experts hae claimed.

Cybersecurity researcher Eaton Zveare from Traceable AI, who found a bug in the API of the delivery system in McDonalds India (West & South).

The delivery system, which is apparently owned by a company called Hardcastle Restaurants, had a vulnerability which exposed delivery customer names, email addresses, and phone numbers. For the drivers, it exposed vehicle numbers, profile pictures, and tracked real-time location of their deliveries. Besides, the bug allowed people to access, hijack, redirect, or track orders in real-time. They could also make orders for as little as $0.01.

No data breach recorded

Zveare found the vulnerabilities in June 2024, and McDonalds fixed it in September. Allegedly, no threat actors stumbled upon this bug, and no customers were actually exposed.

McDonald’s India said a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.

While we don’t know exactly how many people were put at risk through the bug, TechCrunch was told “hundreds of millions” of orders were exposed.

“The McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication.

Since the delivery system for India North & East is different, these parts of the country were not affected, and other countries are safe, too.