McShame: McDonald's API Leaks Data for 2.2 Million UsersMcDonald's Finally Confirmed McDelivery Breach After Being Outed by Researcher
Things are getting messy at McDonald's in India, and that's not just for consumers of the Maharaja Mac - a double-stacked grilled chicken monstrosity with jalapenos and habanero sauce.
See Also: DevOps - Security's Big Opportunity
McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw, found by payments company Fallible, exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. And Fallible contends that the leak still hasn't been properly fixed.
"We are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs."
I queried McDonald's to see if it has tried to seal the hole in the API and also whether it has notified customers or regulators, but I didn't get an immediate response.
In a March 19 tweet, McDonald's didn't issue any clear answers, instead taking the well-trodden path of seeking to reassure users by highlighting what was not breached.
"We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information," it says. "The website and app has always been safe to use."
Statement from McDonalds India. pic.twitter.com/1tK5D1FACp— McDonald's India (@mcdonaldsindia) March 18, 2017
McDonald's has dabbled in home delivery in many countries since the early 1990s, attracting budget diners willing to risk the short half-life of its sandwiches and fries versus the vagaries of home delivery.
Fallible says it contacted McDonald's India on Feb. 7, letting the fast-food chain know it could sequentially pull user information from the API using a curl request.
"An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information," Fallible writes in a blog post.
Fallible didn't hear back until Feb. 13, it says. But the issue appeared to remain unfixed, so Fallible says McDonald's another email on March 7 asking for a status update. Ten days later, it sent another email and received no response.
Fallible chose to go public with the issue in a March 18 blog post, prompting a public acknowledgement from McDonald's on Twitter the next day. Fallible contends the issue hasn't been fixed, and it's unclear from McDonald's tweet if it was.
India doesn't have a specific law that requires mandatory reporting of data breaches. But there are regulations and laws that cover the disclosure of personal information.
One is the Information Technology Act 2008, referred to as the IT Act. Another is a batch of rules that went into force in 2011 that describes the need for "reasonable" security practices when handling personal information.
Under section 43A of the IT Act, companies could be held liable to pay compensation for a failure to use reasonable measures to protect sensitive personal data. Additionally, if the information is intentionally disclosed without consent, criminal penalties could also apply.
Critics, however, contend that India is behind when it comes to strong data protection and stricter legislation, such as what the European Union has implemented (see Why India is Still Not Ready for Breach, Privacy Laws).
In its blog post, Fallible writes that the lack of strong data protection and privacy laws in India has resulted in many companies ignoring related issues.
"We have in the past discovered more than 50 instances of data leaks in several Indian organizations," Fallible writes. "In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs."