A security researcher has discovered serious vulnerabilities in the McDelivery system of the fast food chain McDonald. He was able to view other people’s orders, manipulate prices and order mass quantities of products for just one cent.
Security researcher Eaton Zveare has uncovered massive vulnerabilities in McDonald’s McDelivery delivery system in India and explained exactly how in his blog could have triggered masses of incorrect orders. So much in advance: The extent to which these security gaps also appeared in other countries is currently unknown. McDonalds has already reacted and closed the vulnerabilities. The researcher’s discoveries are definitely alarming. By simply changing IDs in the URL, he was not only able to gain insight into third-party orders, but also manipulate them at will.
The security expert exploited so-called BOLA and Broken Object Property Level Authorization vulnerabilities. These gaps made it possible to access data that was not actually intended for the respective user due to a lack of authorization. The researcher demonstrated the vulnerability by ordering 100 hash browns – McDonald’s popular potato pancakes – for just one cent. In order not to cause any actual damage, he immediately canceled the order.
According to Eaton Zveare, with the right timing it would also have been possible to redirect orders from other customers that had already been paid for. An attacker could theoretically have received a menu that was paid for by another customer – without the latter initially noticing the manipulation. This is not the first time that McDonald’s has faced safety issues. Back in 2017, a data breach at McDelivery made headlines in which personal customer data unintentionally became public.
McDonald’s responded quickly to the security researcher’s report – all discovered vulnerabilities have now been fixed. As a thank you, the expert received an Amazon voucher worth 240 US dollars (around 231 euros). However, his proposal to receive a “Gold Card” for free food for life at McDonald was rejected.
Research Snipers is currently covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More. Research Snipers has decade of experience in breaking technology news, covering latest trends in tech news, and recent developments.
New render images provide a preview of the upcoming Samsung Galaxy Tab S12 Ultra. While…
Taiwan Semiconductor Manufacturing Company (TSMC) has once again provided an outlook on its plans for…
The iPad Mini could soon see notable innovations for the first time in years. According…
A current leak shows Google's upcoming folding smartphone in a new color variant. In addition…
The car manufacturer Tesla has brought a new two-wheeler onto the market. However, this is…
The global smartphone market is experiencing a severe downturn, recording its worst quarter in 13…