Exploiting McDonald's APIs to hijack deliveries and order food for a penny
A security researcher found multiple vulnerabilities in McDonald's McDelivery system in India, allowing unauthorized access to user orders and sensitive information, highlighting the need for improved security measures.
Read original article
A security researcher discovered multiple vulnerabilities in McDonald's McDelivery system in India, allowing for significant exploits. These included the ability to order food for just ₹1 (approximately $0.01), hijack other users' delivery orders, access sensitive information such as driver details, and manipulate order invoices. The researcher identified flaws primarily related to Broken Object Level Authorization (BOLA) and Broken Object Property Level Authorization (BOPLA), which enabled unauthorized access to order details and the ability to alter prices during the checkout process. Despite McDonald's having a bug bounty program in India, the researcher noted that the system had not been adequately secured since a previous data leak in 2017. The vulnerabilities were exploited through a series of API calls, revealing that the system's design allowed for easy manipulation of order IDs and other parameters. The researcher ultimately created an account without verification and successfully placed an order at a manipulated price, highlighting the need for improved security measures in the application.
- McDonald's McDelivery system in India had significant API vulnerabilities.
- Users could order food for just ₹1 and hijack other users' orders.
- Sensitive driver information was accessible through the system.
- The researcher exploited flaws related to BOLA and BOPLA.
- The findings emphasize the need for enhanced security protocols in food delivery applications.
Related
Man makes money buying his own pizza on DoorDash app
A US pizza restaurant owner discovered DoorDash selling his pizzas at lower prices without permission. DoorDash conducted a trial without informing owners, sparking scrutiny over its business practices and CEO's controversial remarks.
DoorDash and Pizza Arbitrage
The article explores pizza arbitrage, where a restaurant profits by exploiting price differences on Doordash. It critiques food delivery inefficiencies and proposes alternative models for sustainable growth in the industry.
Australians Using Browser Replay Attacks to Get Cheap KFC
Users on OzBargain exploit KFC's system vulnerabilities to buy discounted chicken. Tactics include replay attacks and loophole exploitation. Despite KFC's efforts to patch, users persist in finding new ways for deals.
What's inside the QR code menu at this cafe?
A recent investigation revealed significant security flaws in Dotpe's QR code menu system, allowing unauthorized access to sensitive customer data, raising concerns about data privacy and the need for improved security measures.
McDonald's and supermarkets failed to spot slavery
Nine victims of modern slavery were exploited at a McDonald's and a bakery in the UK, with clear signs missed by the companies. McDonald's is improving detection, and stronger regulations are urged.
6 commentsThis is the most amazing thing about this story. Not only did the company not threaten him, they actually fixed the issues.
poor workers yes... but fuck them just constantly adding more things to say and getting you to donate
Related
Man makes money buying his own pizza on DoorDash app
A US pizza restaurant owner discovered DoorDash selling his pizzas at lower prices without permission. DoorDash conducted a trial without informing owners, sparking scrutiny over its business practices and CEO's controversial remarks.
DoorDash and Pizza Arbitrage
The article explores pizza arbitrage, where a restaurant profits by exploiting price differences on Doordash. It critiques food delivery inefficiencies and proposes alternative models for sustainable growth in the industry.
Australians Using Browser Replay Attacks to Get Cheap KFC
Users on OzBargain exploit KFC's system vulnerabilities to buy discounted chicken. Tactics include replay attacks and loophole exploitation. Despite KFC's efforts to patch, users persist in finding new ways for deals.
What's inside the QR code menu at this cafe?
A recent investigation revealed significant security flaws in Dotpe's QR code menu system, allowing unauthorized access to sensitive customer data, raising concerns about data privacy and the need for improved security measures.
McDonald's and supermarkets failed to spot slavery
Nine victims of modern slavery were exploited at a McDonald's and a bakery in the UK, with clear signs missed by the companies. McDonald's is improving detection, and stronger regulations are urged.