If you use McDonald’s India app, your data is at risk. Cybersecurity firm Fallible reported on Saturday that the McDelivery app leaked personal data of its customers for the unspecified duration of time.
The app has more than 2.2 million registered customers and leaked data included name, email address, phone number, home address, actual location and social profile links.
The vulnerability was found in the publicly accessible API endpoint for getting user details. One can put any random customer id to obtain the personal details.
It is worth to note that McDonald’s operations in India are split into two separate entities – McDonald’s India (West & South) and McDonald’s India (North & East). The vulnerability exists in the app managed by McDonald’s India (West & South). So customers in North and East of India seems to be safe.
It is not yet clear if the data has previously been accessed by a hacker to download the data of customers. The vulnerability was reported to McDonald’s India on February 4 and the updated app has fixed the vulnerability
The good thing is that the app does not store any sensitive financial data of the users. But the personal data of customers can be used for marketing purpose.
It is very misfortunate that companies in India still do not think about cyber security seriously and customers have to strong data privacy and protection laws to claim anything if such incidents happen.
