cybersecurity @infosec.pub 🃏Joker @sh.itjust.works 1 mo. ago

I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny

eaton-works.com I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny

A series of API flaws in McDelivery India made it possible to order food for a penny, hijack other people’s delivery orders, view user information, and more.

Key Points / Summary

API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits:

🍟The ability to order any number of menu items for ₹1 ($0.01 USD).

🍟The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.

🍟The ability to retrieve the details of any order.

🍟The ability to track any order in the “On the way” status. You could real-time track the location of the driver for any order.

🍟The ability to download invoices for any order.

🍟The ability to submit feedback for orders that are not your own.

🍟The ability to view admin KPI reports.

🍟Sensitive driver/rider information that could be accessed: 🍔Name

🍔Email address

🍔Phone number

🍔Vehicle license plate number

🍔Profile picture

Technology @lemmy.world tkw8 @lemm.ee 3 wk. ago

I’m Lovin’ It: Exploiting McDonald’s India APIs to hijack deliveries and order food for a penny

eaton-works.com /2024/12/19/mcdelivery-india-hack/

You're viewing a single thread.

3 comments

I’m glad the company took the report seriously. It is fun to see what kinds of stuff you can accomplish using these vulnerabilities!