McDonald’s India app ‘leaks’ 2.2mn addresses, phone numbers; card details safe
Fastfood giant McDonald’s said on twitter that their Mobile App – McDelivery – did not store financial data of customers. This was after the technology blog hackernoon reported on Saturday that the app was found to be “leaking” user data for more than 2.2 million users.Updated: Mar 20, 2017 18:00 IST
Fastfood giant McDonald’s said on twitter that their Mobile App – McDelivery – did not store financial data of customers. This was after the technology blog hackernoon reported on Saturday that the app was found to be “leaking” user data for more than 2.2 million users.
According to a report published on the website by cybersecurity firm Fallible, ‘The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links.’
The report blames an unprotected publicly accessible API endpoint that can be coupled with a series of numbers that act as customer IDs that can be used to obtain access to all users’ personal information. The post reported that a curl request to the http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile API endpoint served up user data without authentication.
The writers report that they sent this information to McDonald’s in early February and even received an acknowledgement from a Senior IT Manager; but the ‘leak’ had not been fixed when the report was published.
The official response from McDonald’s was posted on their twitter page, “Our website and app do not store any sensitive financial data of users like credit card details, wallet passwords or bank account information.” “The website and app has always been safe to use, and we update security measure on regular basis,” the tweet said.
Statement from McDonalds India. pic.twitter.com/1tK5D1FACp— McDonald's India (@mcdonaldsindia) March 18, 2017
However, there was no mention of the security breach of personal data such as phone numbers, home addresses, and social profile links.
In an update to the report on hackernoon, Fallible has reported that McDonalds replied to them that the issue had been fixed; but they said, “he McDonald’s fix is incomplete and the endpoint is still leaking data.”
They report that they have communicated this opinion to McDonald’s again, and are waiting for their response.