McDonald’s Happy Meals might make you happy, but the latest finding could ruin the experience, especially in India, as the world’s largest fast food chain faces a major security vulnerability in its delivery system, exposing sensitive customer information. Security researcher Eaton Zveare claims to have found several security flaws in the application programming interfaces (APIs) used by McDonald’s India (West & South) delivery system, McDelivery – as first reported by TechCrunch.
Interestingly, in his blog post, Zveare shares that because of these vulnerabilities, people could even order any number of menu items from McDonald’s India for just ₹1 (~ $0.01 USD). McDonald’s India, with over 320 million customers annually, witnessed a data security lapse within the McDelivery system that is said to have exposed sensitive information such as full names, email addresses, and phone numbers of customers.
To make matters worse, the flaw also allowed access to vehicle numbers, profile pictures, and real-time location data of McDonald’s India delivery drivers. Zveare explains that the API didn’t properly check if the person making requests was permitted to do so, allowing the bugs to expose invoices and giving the ability to submit feedback for customer orders. McDonald’s, which opened its first restaurant in India in 1996, still hasn’t revealed how many customers’ information may have been exposed due to these bugs.
With over 300 restaurants across India, this isn’t the first time McDonald’s India has faced such an issue. In 2017, its delivery app leaked personal information of around 2.2 million customers. Coming back to the recent incident, these new vulnerabilities were discovered by Zveare in July 2024, and McDonald’s India fixed the issues by September 2024 after he reported them to the company.
However, McDonald’s India told TechCrunch that a comprehensive review of the system and log data was performed, and it was confirmed that no security breach had occurred because of the API bugs. The company also stated that no customer data had been accessed by external parties. The incident occurs at a time when the Indian government is finalizing its data protection regulation draft, primarily concerning data handling and storage by overseas companies.