In the realm of fast food, McDonald’s is a major player with its McDelivery service, operated by McDonald’s India (West & South) / Hardcastle Restaurants Pvt. Ltd. The McDelivery web app has gained popularity, boasting over 10 million downloads on Google Play and ranking #16 in Food & Drink on the Apple App Store. This app provides customers with the convenience of ordering McDonald’s food for delivery, dine-in, and takeout.

Despite its success, the McDelivery app faced a security incident in 2017 that resulted in user data being leaked. However, since then, there have been no reports of similar incidents, indicating that the app has improved its security protocols.

Recently, during an audit of the McDelivery website, a security researcher uncovered a critical security flaw in the form of a Broken Object Level Authorization (BOLA) vulnerability. By manipulating the order ID in the “order-tracking” route, the researcher was able to access sensitive order details of other users, such as order status and location, without proper authentication.

This vulnerability stemmed from a JWT token generated from a guest login API call, which failed to adequately authenticate users, allowing unauthorized access to confidential information. The sequential nature of order IDs made it easy for the researcher to exploit this flaw and access data belonging to other customers, exposing a significant security weakness in the app’s authorization mechanisms.

Moreover, the researcher identified several other vulnerabilities within the McDelivery app, including the ability to access driver information, customer invoices, and even create accounts without phone number verification. By leveraging undocumented APIs, the researcher was able to retrieve data and generate invoices, bypassing the typical account creation process. These findings raised concerns about user privacy and data security within the McDelivery platform.

In another demonstration of the app’s vulnerabilities, the researcher manipulated the price of items in their shopping cart by sending a malicious PUT request to the server. Despite the implementation of an RSA signature on the server side to prevent tampering, the researcher circumvented this control by altering item prices before the signature was generated. This violation underscored the importance of robust input validation and authorization checks within the application logic to mitigate risks associated with unauthorized data modification.

According to reports from Eat On Works, researchers discovered multiple vulnerabilities in the McDelivery app that could allow unauthorized users to steal orders. Attackers could change the address of an order or completely take over an order by changing the user ID associated with it. Fortunately, these vulnerabilities were responsibly reported to McDelivery, and the company promptly addressed and fixed the issues, acknowledging the researcher’s efforts with a bug bounty.

In conclusion, the McDelivery app, while popular and convenient for customers, has faced significant security challenges in the past. The recent findings of security vulnerabilities highlight the importance of continuous monitoring, updating, and reinforcing security measures to safeguard user data and privacy in the fast-paced world of online food delivery services.

Source link