Dec 20, 2024 17:00:00

Hacking attacks exploit McDonald's API to hijack deliveries and order burgers for 1 yen

It has been revealed that a vulnerability in

McDelivery , McDonald's official delivery system, could be exploited to allow thieves to order any menu item for just 1 cent (about 1.6 yen) or steal someone else's delivery order.

I'm Lovin' It: Exploiting McDonald's APIs to hijack deliveries and order food for a penny
https://eaton-works.com/2024/12/19/mcdelivery-india-hack/

Bugs in a major McDonald's India delivery system exposed sensitive customer data | TechCrunch
https://techcrunch.com/2024/12/19/bugs-in-a-major-mcdonalds-india-delivery-system-exposed-sensitive-customer-data/

Eaton Zubair, a security analyst at security firm Traceable AI , discovered a flaw in the API of the delivery system of McDonald's India, specifically McDonald's India , owned by Hardcastle Restaurants.

McDonald's India's McDelivery is available on its website and iOS / Android app and is a popular delivery service in India. McDelivery itself is available in various countries and regions around the world, but McDonald's India has developed its own custom web app to provide the service.

McDonald's India McDelivery is built using

Angular, a single-page application framework that is said to be ideal for highly interactive consumer-facing apps.

According to Zubair, McDonald's India's delivery system has a vulnerability called '

Broken Object Level Authorization (BOLA) '. This is a very common vulnerability, and it seems that multiple BOLAs have been found in McDonald's India's McDelivery.

The vulnerability in McDonald's India's McDelivery service allows anyone to easily access or hijack orders, change delivery destinations, track deliveries in real time, and order deliveries for just 1 cent by interacting with the API that apps and websites use to order and track deliveries. This is because the API does not properly check whether the person requesting the order is authorized to make the request.

According to Zubair, the McDelivery mobile app used the exact same backend APIs as the website, so both the app and the website were vulnerable to the same exploits. As a result, personal information of McDonald's India users (usernames, email addresses, phone numbers) was exposed on the Internet, as well as the license plate numbers of the vehicles used for delivery, the profile photos of the delivery drivers, and the real-time location information of the drivers during deliveries.

Zubair discovered the vulnerability in July 2024 and reported it to McDonald's India, which fixed the vulnerability in late September of the same year.

'We conduct regular audits and assessments to continually strengthen our security measures, implementing all necessary enhancements and ensuring all systems are up to date and secure,' McDonald's India spokesperson Sulakshna Mukherjee told TechCrunch.

McDonald's India has not disclosed the total number of customers whose personal information may have been compromised, but Zubair told TechCrunch that 'hundreds of millions of orders had access.'

In addition, McDonald's India also leaked personal information of approximately 2.2 million people via the McDelivery app in 2017.