McDonalds India's delivery app was a golden honeypot
Would you like data on 2.2 MEELLION users with that API query?
McDonald's India has 'fessed up that its app spaffed personal data to all and sundry and has urged users to install an update.
Over the weekend, a post at Medium said the company's McDelivery app in India was leaking user data through a misconfigured server.
The leaks, disclosed by payment security company Fallible.co, “includes name, email address, phone number, home address, accurate home co-ordinates and social profile links”.
Fallible reckons as many as 2.2 million users' accounts were at risk.
The post explains that a
curl request to the http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile API endpoint served up user data without authentication.
Since that endpoint was configured to serve user data without authentication, The Register presumes the app had to be updated so the endpoint could be secured.
McDonalds India gave the usual “value your privacy” explanation and told media outlets financial data like credit card numbers wasn't exposed – which means only sufficient data to mount a workable identity theft attack was leaked.
Fallible says it first notified McDonalds India of the issue in February, and made the disclosure on March 18 because the company didn't offer so much as a "would you like fries with that" in response to its approach.
According to The Hindu, a user has already mounted a complaint under India's data protection laws against the company. ®