Key Points / Summary

API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits:

🍟The ability to order any number of menu items for ₹1 ($0.01 USD).

🍟The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.

🍟The ability to retrieve the details of any order.

🍟The ability to track any order in the “On the way” status. You could real-time track the location of the driver for any order.

🍟The ability to download invoices for any order.

🍟The ability to submit feedback for orders that are not your own.

🍟The ability to view admin KPI reports.

🍟Sensitive driver/rider information that could be accessed: 🍔Name

🍔Email address

🍔Phone number

🍔Vehicle license plate number

🍔Profile picture

  • rmtworks@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    4 days ago

    I’m glad the company took the report seriously. It is fun to see what kinds of stuff you can accomplish using these vulnerabilities!