What if I told you that it was possible to order Big Mac for a few cents and hijack other customers' orders at McDonald's?
No, this is not the scenario of a 90s hacker film, but a reality recently discovered in the Indian delivery system of the famous fast food chain.
You calmly order your menu favorite via app McDelivery in India, and a few minutes later your order is mysteriously redirected to another address. That's exactly what Eaton Zveare, a security researcher at Traceable AI, discovered while analyzing the API of McDonald's India (West and South) delivery system.
The system presented several major vulnerabilities affecting McDelivery, an application with more than 10 million downloads:
- Possibility to order any menu for just 1 rupee
- Ability to divert and redirect current orders
- Access to personal information of customers and delivery people
- Real-time tracking of the position of delivery people
- Download invoices for any order
- Editing customer reviews
Our researcher friend had fun dissecting the web application Angular of McDelivery and as a good explorer of security vulnerabilities, he quickly spotted routes suspicious linked to orders. By simply testing the identifiers “0” and “1”, he then obtained access to information that should have remained confidential.
The technique used is She was (Broken Object Level Authorization), a classic but formidable vulnerability. Thus, by modifying certain parameters in API requests, it was possible to:
- Retrieve details of any order
- Track the GPS location of delivery people in real time
- Access personal information (names, emails, phone numbers)
- Download invoices for all customers
- View administrative performance reports
The most impressive part was the price manipulation. By exploiting a flaw in the shopping cart API, the researcher could order full meals for one rupee. Even more worrying, it was possible to spot an order being paid for, then modify the delivery address before finalization and finally reassign the order to another account. And bonus, make all traces disappear for the original customer…
Fortunately, the researcher played the game by following an ethical approach. McDonald's India confirmed that no customer data was compromised before the flaws were fixed. The chain has also strengthened its security measures and updated its systems.
For worried users, McDonald's assures that only restaurants in West and South India were affected, with other countries using different systems. The chain also confirms that no payment data has been compromised, these being managed by an external service provider according to current security standards.
Phew!
Source