Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

McDonald’s Food Chain - 2.2 Million INDIAN Customer Records Leaked by McDelivery Web App

 

 

The world famous American hamburger and fast food chain McDonald's is using McDelivery named web application to deliver orders in INDIA. A security vulnerability has been discovered by security researchers at Fallible (A Security Start Up) in this McDelivery web application.  According to security researchers, it is possible to dump a huge collection of 2.2 Million personal accounts of INDIAN McDonald Customers by exploiting this vulnerability. 

 

What is the Vulnerability?

The security vulnerability resides in an unprotected publicly accessible API endpoint. This API had been designed by the developers to deliver user details which are further coupled with serially enumerable integers. These integers are the Customer ids of McDonald’s customers. An attacker could exploit this API by writing some malicious scripts to access the personal information of all 2.2 Million customers. In simple words we can say, the McDelivery Web App is not capable of identifying that the person who is logged in is the same person who was logged in at the starting. The web app is not checking the user ID requested by API. The user ID is in plain numeric text so an attacker can easily manipulate the API to retrieve data of the users.

 

The security firm Fallible published a blog post last week, to tell that McDelivery Web Application of McDonald’s is hackable and it is leaking 2.2 Million personal records of INDIAN customers. The leaked information include Full Name, Phone Number, Social Profile Links, Email Address, Home Coordinates and Full Residential Address. The Fallible had already reported this vulnerability to McDonald’s.

 

Patched or Not?

According to Fallible, they reported this security issue to McDonald’s on February 7, 2017. After a week they got an email from the senior IT Manager of McDonald’s in which he wrote that this vulnerability has been patched by our team. After that, the security researchers again tried the same exploit and successfully got the access of all 2.2 Million records. The Fallible reported again but didn’t get any reply.

 

On 7th March and 17th March the Fallible sent an email to know the status of the security patch but again McDonald’s don’t give a reply. It means the security vulnerability of McDelivery web app is still unpatched. The companies are not taking the security of customer data as a priority. As this web app is leaking all the personal data, hackers could scam the McDonald’s customers through social media and email phishing campaigns.

 

Also Read: 

Donald Trump Gave $1.5 Billion To Department of Homeland Security For Cyber Security

Pwn2Own 2017 First Day Report – MS Edge, Adobe Reader, Ubuntu and Safari Browser Hacked By Researchers

IIT Bombay and IIT Kharagpur Hacked By An Indian Hacker Cryptolulz666

Leave a Reply

Name
Email id
Contact No
Comment

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.