Skip to content

API flaws in McDelivery system expose users’ sensitive data

  • by
  • 3 min read

Photo: Kelvin Stuttard | Pixabay

A series of were discovered in the McDelivery system used by McDonald’s India in its West and South regions. This custom-built application, which allows users to order food online or via mobile apps, exposed several critical flaws, including the ability to manipulate order prices, hijack other users’ orders, and access sensitive information about delivery drivers.

The vulnerabilities stemmed primarily from inadequate access controls and flawed API configurations. For instance, broken object-level authorisation (BOLA) allowed unauthorised users to access and manipulate order details.

Additionally, APIs lacked safeguards against unauthorised data modification, enabling users to alter sensitive fields, including order prices and delivery addresses. One particularly concerning exploit allowed attackers to redirect active orders to different locations by altering delivery addresses during payment.

“The McDelivery website and mobile apps are built using Angular, a popular single-page-application framework. It is a good fit for this type of high interactivity consumer-facing app,” the researcher noted.

Furthermore, by sequentially modifying order IDs, users could gain access to other customers’ invoices, order details, and even real-time driver locations, including their personal information such as names, phone numbers, and vehicle license plate numbers.

The exploitation extended beyond customer orders to the administrative side of the system. The researcher uncovered access to internal KPI reports and other backend functionalities by leveraging consumer JWT tokens, although deeper penetration into the admin panel was blocked.

Sensitive driver data accessed on the McDelivery platform. | Source: Eaton Works

Despite this partial success, the ability to access such sensitive data raised significant questions about the overall robustness of the platform’s security mechanisms.

The researcher’s journey to uncover these flaws was marked by meticulously exploring the McDelivery system’s Angular-based architecture. The researcher could identify and exploit weaknesses at multiple levels by manipulating API requests and inspecting JavaScript code.

One particularly striking discovery involved the ability to leave feedback on orders belonging to other users, which can also be retrieved and altered. Similarly, an undocumented API for user creation bypassed the standard phone number verification process, enabling unauthorised account creation.

Among the exploits, the ability to manipulate cart prices before checkout stood out as a streak example of poor validation protocols. The researcher successfully placed orders at dramatically reduced prices by altering the price field within cart objects. While the developers had implemented RSA signatures to safeguard the payment process, this safeguard was undermined by vulnerabilities in the cart object’s data integrity checks.

While McDonald’s India has now resolved the issues, the revelations are a stark reminder for organisations worldwide to prioritise security testing and implement comprehensive safeguards against potential exploits. The company’s assurance that no customer data was leaked provides some relief for users.

In the News: API flaw in LIC left data of millions of policyholders exposed

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>