[BreachExchange] McShame: McDonald's API Leaks Data for 2.2 Million Users

Mon Mar 20 19:17:50 EDT 2017

http://www.databreachtoday.com/blogs/mcshame-mcdonalds-
api-leaks-data-for-22-million-users-p-2426

Things are getting messy at McDonald's in India, and that's not just for
consumers of the Maharaja Mac - a double-stacked grilled chicken
monstrosity with jalapenos and habanero sauce.

McDonald's has acknowledged that a leaky API exposed personal information
for users of its McDelivery mobile app in India. The flaw, found by
payments company Fallible, exposed names, email addresses, phone numbers,
home addresses and sometimes the coordinates of those homes, as well as
links to social media profiles. And Fallible contends that the leak still
hasn't been properly fixed.

I queried McDonald's to see if it has tried to seal the hole in the API and
also whether it has notified customers or regulators, but I didn't get an
immediate response.

In a March 19 tweet, McDonald's didn't issue any clear answers, instead
taking the well-trodden path of seeking to reassure users by highlighting
what was not breached.

"We would like to inform our users that our website and app does not store
any sensitive financial data of the users like credit card details, wallets
passwords or bank account information," it says. "The website and app has
always been safe to use."

McDonald's has dabbled in home delivery in many countries since the early
1990s, attracting budget diners willing to risk the short half-life of its
sandwiches and fries versus the vagaries of home delivery.

McLeaky McDelivery?

Fallible says it contacted McDonald's India on Feb. 7, letting the
fast-food chain know it could sequentially pull user information from the
API using a curl request.

"An unprotected publicly accessible API endpoint for getting user details
coupled with serially enumerable integers as customer IDs can be used to
obtain access to all users personal information," Fallible writes in a blog
post.

Fallible didn't hear back until Feb. 13, it says. But the issue appeared to
remain unfixed, so Fallible says McDonald's another email on March 7 asking
for a status update. Ten days later, it sent another email and received no
response.

Fallible chose to go public with the issue in a March 18 blog post,
prompting a public acknowledgement from McDonald's on Twitter the next day.
Fallible contends the issue hasn't been fixed, and it's unclear from
McDonald's tweet if it was.

McNotification?

India doesn't have a specific law that requires mandatory reporting of data
breaches. But there are regulations and laws that cover the disclosure of
personal information.

One is the Information Technology Act 2008, referred to as the IT Act.
Another is a batch of rules that went into force in 2011 that describes the
need for "reasonable" security practices when handling personal information.

Under section 43A of the IT Act, companies could be held liable to pay
compensation for a failure to use reasonable measures to protect sensitive
personal data. Additionally, if the information is intentionally disclosed
without consent, criminal penalties could also apply.

Critics, however, contend that India is behind when it comes to strong data
protection and stricter legislation, such as what the European Union has
implemented (see Why India is Still Not Ready for Breach, Privacy Laws).

In its blog post, Fallible writes that the lack of strong data protection
and privacy laws in India has resulted in many companies ignoring related
issues.

"We have in the past discovered more than 50 instances of data leaks in
several Indian organizations," Fallible writes. "In fact, we are pleasantly
surprised when we find Indian companies without a personal or payment data
leak vulnerability in their APIs."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170320/a6c1a9d4/attachment.html>