Security researchers from Fallible found a serious vulnerability McDonald’s India application that allows hackers to access millions of customer data.
There is no authentication or authorization check in API used in the application. Sending request to "http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile" with customer id in the header allows to access customer details.
The customer id is a sequential number. All an attacker needs to do is create a script and increase the number to dump all customer data.
"The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore has led to companies ignoring user data protection" The researcher said.
"We have in the past discovered more than 50 instances of data leaks in several Indian organizations." The researcher said.
The vulnerability allows attackers to obtain name, address, email address, phone number, Date of birth, GPS Co-ordinates and social profile details.
The researchers reported the issue to McDelivery on 4th February, 2017. After few days(13th Feb), they received an acknowledgement from the McDelivery IT Manager. From 7th march, Fallible tried to contact the McDelivery to know the status. However, there is no response from their side. The bug is still not fixed, at the time of writing.
In Jan 2017, a researcher Tijme Gommers found two critical bugs "an insecure cryptographic storage vulnerability" and XSS in McDonald.