The most used application in India; Dubbed Mcdelivery leaked the personal data of about 2.2 million users, a security firm discovered. As claimed by Fallible, the software security startup that detected the bug, leaked user data names, email addresses, phone numbers, home addresses, home co-ordinates and social profile links.
The reason behind the leak was notified to be the unprotected publicly reachable API endpoint that delivered public information, which is attached in sequence with enumerable integers as customer IDs. All the personal information of the users can be extracted by the use of attachment.
Abhishek Anand, Fallible co-founder said, “The mistake in this case was trivial and ought to have been fixed in a day at max. The app/website provides a facility to retrieve the current user details but does not check if the user ID being asked is the same user who has logged in. The user ID in this case is a plain number that starts from 1 and can be enumerated easily,”
bluehost® helps big brands scale WordPress.
BlueHost: Get Professional Website Hosting For 3.95/MonthTry BlueHost Now
On Feb. 7, the vulnerability was exposed and on Feb. 13, it received acknowledgement from the Senior IT Manager at McDonald. As said by Fallible, the McDonald’s fix was released late and was also not complete.
Abhishek Anand also said, “We have always respected a company’s request if they wanted more time to fix any issue but sadly they stopped responding after 4 weeks which led to us warning users that their data is out in the open. In fact, the ‘fix’ applied right now is incomplete and the vulnerability exists even now and we have intimated the same to the concerned company,”
As a preventative measure, the McDonald published a statement over the weekend about update of iteration of the Mcdelivery and that it will inform the users about the further updates.
The statement reads, ““We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices,”
In the past, more than 50 data leaks of different organizations have occurred in India. According to Fallible, the cause of such frequent data leaks is the ignorance of the companies to data protection laws in India. Furthermore, the company said, “there is a similar lack of push from non-government organizations to improve this scenario.”
In January, Fallible also exposed that numerous third parties without any reason store keys or secrets that makes it easier for the attackers to use the details available and leak the data. Some of the most used online services executing this include Twitter, Dropbox, flicker, Uber, slack and amazon(amazon web services).