McDonald’s has asked users of its McDelivery service in India to update the app on their smartphones as a precaution, after a blog alleging that personal data of 2.2 million customers could have been leaked due to a vulnerability.
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information,” said a McDonald’s India spokesperson.
Data security firm Fallible in a post on popular blogging platform Medium alleged that it had found the vulnerability in the McDonald’s app, and despite receiving an acknowledgement from the company, the issue was not fixed for over a month. The post said information such as names, phone numbers, email ids, addresses, home coordinates and links to social handles of users of the McDelivery app were vulnerable to leak. Fallible traced the vulnerability to the presence of an “unprotected publicly accessible API endpoint” that could be used to access the user information.
“The lack of strong data protection and privacy laws or penalties in India, unlike the European Union, United States or Singapore has led to companies
ignoring user data protection,” read the post by Fallible.
Fallible claims it contacted McDonald’s on February 7 regarding the vulnerability, and while it got an acknowledgement from a senior IT manager on February 13, the issue was still not fixed. The company followed the responsible disclosure policy, but upon seeing that the issue was not fixed, decided to finally make the news
The company updated the post saying that McDonald’s had contacted them saying the issue was fixed.
While it isn’t known if the bug in the McDonald’s app has led to data being stolen, the US-based fast-food chain has become the latest company to be hauled up for having less than secure systems online. Ride hailing app Ola, music streaming service Gaana, restaurant discovery service Zomato, have all made headlines for having vulnerabilities involving user data.