The most used application in India; Dubbed Mcdelivery leaked the personal data of about 2.2 million users, a security firm discovered. As claimed by Fallible, the software security startup that detected the bug, leaked user data names, email addresses, phone numbers, home addresses, home co-ordinates and social profile links.
The reason behind the leak was notified to be the unprotected publicly reachable API endpoint that delivered public information, which is attached in sequence with enumerable integers as customer IDs. All the personal information of the users can be extracted by the use of attachment.
Abhishek Anand, Fallible co-founder said, “The mistake in this case was trivial and ought to have been fixed in a day at max. The app/website provides a facility to retrieve the current user details but does not check if the user ID being asked is the same user who has logged in. The user ID in this case is a plain number that starts from 1 and can be enumerated easily,”
On Feb. 7, the vulnerability was exposed and on Feb. 13, it received acknowledgement from the Senior IT Manager at McDonald. As said by Fallible, the McDonald’s fix was released late and was also not complete.
Abhishek Anand also said, “We have always respected a company’s request if they wanted more time to fix any issue but sadly they stopped responding after 4 weeks which led to us warning users that their data is out in the open. In fact, the ‘fix’ applied right now is incomplete and the vulnerability exists even now and we have intimated the same to the concerned company,”
As a preventative measure, the McDonald published a statement over the weekend about update of iteration of the Mcdelivery and that it will inform the users about the further updates.
The statement reads, ““We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,”
In the past, more than 50 data leaks of different organizations have occurred in India. According to Fallible, the cause of such frequent data leaks is the ignorance of the companies to data protection laws in India. Furthermore, the company said, “there is a similar lack of push from non-government organizations to improve this scenario.”
In January, Fallible also exposed that numerous third parties without any reason store keys or secrets that makes it easier for the attackers to use the details available and leak the data. Some of the most used online services executing this include Twitter, Dropbox, flicker, Uber, slack and amazon(amazon web services).
Share this article
About the Author
Waqas is a cybersecurity journalist and writer who has a knack for writing technology and online privacy-focused articles. He strives to help achieve a secure online environment and is skilled in writing topics related to cybersecurity, AI, DevOps, Cloud security, and a lot more. As seen in: Computer.org, Nordic APIs, Infosecinstitute.com, Tripwire.com, and VentureBeat.
More from Iam WaqasRelated Posts
Passengers’ Data Stored on User Devices, not on DigiYatra Storage, says India Govt
KEY TAKEAWAYS Unblocking streaming content from Amazon Prime is easy only if you know the reliable V...
NCSC Chief: Clear Rules Needed to Prevent Cyberspace Conflict and Struggle
A safe and secure digital world necessitates a clear definition and enforcement of international cyb...
‘Revive’ has been upgraded to a banking Trojan on Android
This month, Cleafy’s security researchers discovered a new Android Banking Trojan in the wild....
Asian Industrial Control Systems Targeted by Hackers Using the Shadowpad Backdoor
Unpatched Microsoft Exchange servers in various Asian countries were the target of an attack campaig...
Data Breaches Could Occur Due to Kubernetes Misconfigurations That Were Leaked.
Over 900,000 Kubernetes (K8s) have been discovered to be vulnerable to malicious scans and/or data-e...
Attacks by Cybercriminals Will Become the Main Threat in 2024. Privacy Issues Tendencies
Internet Privacy is the main Concern today Advertisers track your online activities and interf...
