McDonald’s has asked users of its McDelivery service in India to update the app on their smartphones as a precaution, after a blog alleged that personal data of 2.2 million customers could have been leaked due to a vulnerability.
“We would like to inform our users that our website and app do not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information,” said a McDonald’s India spokesperson.
Data security firm Fallible in a post on popular blogging platform Medium alleged that it had found the vulnerability in McDonald’s app, and despite receiving an acknowledgement from the company the issue was not fixed for over a month.
The post said information such as names, phone numbers, email ids, addresses, home coordinates and links to social handles of users of the McDelivery app were vulnerable to leak. Fallible traced the vulnerability to the presence of an “unprotected publicly accessible API endpoint” that could be used to access the user information.
“The lack of strong data protection and privacy laws or penalties in India, unlike the European Union, United States or Singapore has led to companies ignoring user data protection,” read the post by Fallible.
Fallible claims it contacted McDonald’s on February 7 regarding the vulnerability, and while it got an acknowledgement from a senior IT manager on February 13, the issue still was not fixed. The company followed the responsible disclosure policy, but upon seeing that the issue was not fixed decided to finally make the news public. (READ MORE)