McDonald’s Delivery App Vulnerability: A Wake-Up Call for API Security

The Vulnerability Uncovered

The McDelivery app, operated by McDonald’s India (West & South) under Hardcastle Restaurants Pvt. Ltd., was found to have several flaws in its API. These vulnerabilities exposed sensitive data and allowed unauthorized users to perform a range of malicious activities, including:

1. Manipulated Pricing:

   • Hackers could place orders for as little as ₹1 ($0.01 USD) by exploiting a cart price manipulation vulnerability.

2. Order Hijacking:

   • Attackers could redirect another user’s order to their own address by carefully timing API requests and altering the assigned address or user ID.

3. Delivery Tracking Exploit:

   • The API allowed unauthorized access to real-time delivery tracking, exposing the location and personal details of delivery drivers.

4. Sensitive Data Exposure:

   • Users could access order details, download invoices, and submit feedback on orders they didn’t place.

5. Driver Information Leak:

   • Personal details of delivery drivers, including their names, phone numbers, email addresses, profile pictures, and vehicle license plate numbers, were accessible.

6. Admin Data Breach:

   • Unauthorized users could view admin Key Performance Indicator (KPI) reports, compromising operational data.

The Ethical Hacker’s Investigation

The vulnerabilities were uncovered through advanced security techniques such as Broken Object Level Authorization (BOLA) and Mass Assignment. Despite employing measures like Angular for single-page application development and JWT tokens for authentication, the McDelivery app failed to adequately restrict user access to sensitive data.

Key Exploits

• Price Manipulation: The hacker altered the “price” parameter in the cart object via the API, bypassing server-side validation to place nearly free orders.

• Order Hijacking: By modifying address or user IDs, attackers could redirect in-progress orders to their own locations.

• Sensitive Data Retrieval: API requests were manipulated to access invoices and monitor deliveries by changing order IDs.

Privacy and Security Risks

The exposed vulnerabilities posed serious risks to user privacy and McDonald’s reputation. Customer orders, driver locations, and sensitive details were all at risk. The ethical hacker emphasized in their report: “These vulnerabilities are not just technical flaws; they represent a real danger to user privacy and McDonald’s reputation.”

McDonald’s Response

The ethical hacker compiled a detailed 24-page report and submitted it to McDelivery’s bug bounty program. McDonald’s India acted swiftly, fixing all reported vulnerabilities within the industry-standard 90-day period. While the response time was slower than ideal, the company ensured thorough patches for each issue.

McDonald’s India’s bug bounty program deserves credit for fostering collaboration with ethical hackers to enhance security. However, it’s worth noting that McDonald’s USA lacks a similar program, drawing criticism from security professionals.

Lessons Learned

With over 10 million downloads on Google Play and a significant presence on the Apple App Store, McDelivery is a cornerstone of McDonald’s operations in India. This incident underscores the necessity of continuous security assessments for applications managing sensitive customer data and financial transactions.

Key Takeaways:

1. Strengthen API Security: Implement robust server-side validation and restrict unauthorized access.

2. Encourage Ethical Hacking: Bug bounty programs are vital for identifying and addressing vulnerabilities.

3. Prioritize Privacy: Safeguard user and driver information to build trust and maintain reputation.

4. Continuous Monitoring: Regular audits and updates are essential to preempt emerging threats.

While the vulnerabilities have been patched, this case serves as a stark reminder: companies must prioritize user safety and privacy, learning from incidents like these to avoid similar oversights in the future. As the digital landscape evolves, so must our approach to security.