A major security breach has been reported in McDonald's India's delivery system, McDelivery, which has exposed the personal information of its customers and drivers due to several simple security flaws. The vulnerabilities, discovered by security researcher Eaton Zveare, were found in the APIs of the delivery system associated with McDonald's India (West & South), which is owned by Hardcastle Restaurants.

The security flaws, which were discovered in July, allowed anyone to access, hijack, redirect, or real-time track orders, or make legitimate orders for $0.01, by interacting with the company's API. This was possible because the API wasn't properly checking to ensure that the person making requests was allowed to make it. The bugs also allowed access to invoices and provided the ability to submit feedback for customer orders.

The exposed data includes McDelivery customer full names, email addresses, and phone numbers of McDonald's India (West & South) customers, as well as access to vehicle numbers, profile pictures, and the real-time location of the restaurant chain's drivers delivering orders. According to Zveare, the flaws exposed access to hundreds of millions of orders.

McDonald's India has confirmed that the vulnerabilities were fixed in late September, but the company has not disclosed the number of customers whose information may have been exposed. In a statement, Sulakshna Mukherjee, a spokesperson at McDonald's India (West & South), said that a "thorough verification of systems and logs" showed the flaws did not result in a breach of its customer data.

However, this is not the first time McDonald's India has exploited its customers' sensitive data. In 2017, the delivery app of McDonald's India (West & South) leaked the personal information of about 2.2 million customers. The recurrence of such incidents raises concerns about the company's ability to protect its customers' data.

The incident highlights the importance of regular security audits and assessments to identify and fix vulnerabilities before they can be exploited. It also underscores the need for companies to be transparent about data breaches and to take proactive steps to protect their customers' sensitive information.

The security researcher's discovery and reporting of the vulnerabilities demonstrate the critical role that independent security experts play in identifying and helping to fix security flaws. As the use of online delivery systems continues to grow, it is essential that companies prioritize the security and privacy of their customers' data.

In the wake of this incident, customers of McDonald's India (West & South) are advised to be cautious and monitor their accounts for any suspicious activity. The company should also consider providing additional security measures to protect its customers' data and rebuild trust.

The incident serves as a reminder that even the largest companies can be vulnerable to security breaches, and it is essential to take proactive steps to prevent such incidents from occurring in the first place.