The
McDonald’s India app, McDelivery is leaking personal data for more than
2.2 million of its users which includes name, email address, phone
number, home address, accurate home co-ordinates and social profile
links. We contacted McDelivery on 7th Feb and received an
acknowledgement from a Senior IT Manager on 13th Feb (33 days ago). The
issue has not been fixed yet and our continued effort to get an update
for the fix after the initial acknowledgement has failed.
UPDATE1: McDonald’s India has replied to us that they have fixed the issue and would be releasing an official statement urging their users to upgrade the app.
UPDATE2: The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.
An
unprotected publicly accessible API endpoint for getting user details
coupled with serially enumerable integers as customer IDs can be used to
obtain access to all users personal information.
The lack of strong data protection and privacy laws or penalties in India, unlike the European Union , United States or Singapore
has led to companies ignoring user data protection. There is a similar
lack of push from non-government organisations to improve this scenario.
We have in the past discovered more than 50 instances of data leaks in
several Indian organisations. In fact, we are pleasantly surprised when
we find Indian companies without a personal or payment data leak
vulnerability in their APIs.
A sample response to Curl request :
Click to view full size image |
Disclosure Timeline:
- 4th Feb’17 — Fallible reported the issue to McDelivery
- 13th Feb’17 — Issue acknowledged by McDelivery IT Manager.
- 7th March’17 — Fallible sent an email asking about the status, no reply from McDelivery.
- 17th March’17 — Fallible sent another email; No response from McDelivery;
- 18th March’17 — No response yet. McDelivery users are still vulnerable. Public disclosure.
Now it depends on users what actions they take. The company is still trying to solve the issues. Till then, take care...
Source : HackerNoon
0 comments:
Post a Comment
Thanks for reading this article.
Please comment your reviews..This will help us improve.