McDonald’s pays off security researchers cheaply
A security researcher has discovered serious vulnerabilities in the McDelivery system of the fast food chain McDonald. He was able to view other people’s orders, manipulate prices and order mass quantities of products for just one cent.
Fatal security gaps at McDonald
Security researcher Eaton Zveare has uncovered massive vulnerabilities in McDonald’s McDelivery delivery system in India and explained exactly how in his blog could have triggered masses of incorrect orders. So much in advance: The extent to which these security gaps also appeared in other countries is currently unknown. McDonalds has already reacted and closed the vulnerabilities. The researcher’s discoveries are definitely alarming. By simply changing IDs in the URL, he was not only able to gain insight into third-party orders, but also manipulate them at will.
Exploitation of BOLA vulnerabilities
The security expert exploited so-called BOLA and Broken Object Property Level Authorization vulnerabilities. These gaps made it possible to access data that was not actually intended for the respective user due to a lack of authorization. The researcher demonstrated the vulnerability by ordering 100 hash browns – McDonald’s popular potato pancakes – for just one cent. In order not to cause any actual damage, he immediately canceled the order.
According to Eaton Zveare, with the right timing it would also have been possible to redirect orders from other customers that had already been paid for. An attacker could theoretically have received a menu that was paid for by another customer – without the latter initially noticing the manipulation. This is not the first time that McDonald’s has faced safety issues. Back in 2017, a data breach at McDelivery made headlines in which personal customer data unintentionally became public.
McDonald’s response
McDonald’s responded quickly to the security researcher’s report – all discovered vulnerabilities have now been fixed. As a thank you, the expert received an Amazon voucher worth 240 US dollars (around 231 euros). However, his proposal to receive a “Gold Card” for free food for life at McDonald was rejected.
Research Snipers is currently covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More. Research Snipers has decade of experience in breaking technology news, covering latest trends in tech news, and recent developments.
