McDonald’s Delivery App Bug Let Customers Orders For Just $0.01

McDonald’s India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web app for ordering McDonald’s food for delivery, dine-in, and takeout. 

The app is popular, with over 10 million downloads on Google Play and #16 in Food & Drink on the Apple App Store and offers various options to choose from to get food.

Although the app had a security incident in 2017 leaking user data, there are no reports of similar incidents since.  

During an audit of the McDelivery website, a security researcher discovered a Broken Object Level Authorization (BOLA) vulnerability. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

By simply modifying the order ID in the “order-tracking” route, they were able to access sensitive order details of other users, including order status and location, without proper authentication, which occurred despite the presence of a JWT token generated from a guest login API call. 

They exploited the sequential nature of order IDs to easily enumerate and access information belonging to other customers, highlighting a critical security flaw in the application’s authorization mechanisms.

There are several vulnerabilities in the McDonald’s McDelivery app and by manipulating order IDs, they accessed sensitive data like driver information and customer invoices and even created accounts without phone number verification. 

They exploited undocumented APIs to retrieve data, generate invoices, and bypass the normal account creation process, which highlights potential risks to user privacy and data security within the McDelivery platform.

By exploiting this flaw, they were able to manipulate the price of items within their shopping cart, which was achieved by sending a malicious PUT request to the server, which allowed them to update the price field of individual items. 

Despite the server-side implementation of an RSA signature to prevent tampering with order details, the researcher circumvented this by modifying the item prices before the signature was generated. 

The successful exploitation demonstrated the criticality of proper input validation and authorization checks within application logic, highlighting potential risks associated with insufficiently restricted data modification capabilities.

According to Eat On Works, the researchers discovered multiple vulnerabilities in McDelivery that allowed unauthorized users to steal orders.

The attacker could change the address of an order placed by another user to their own address before the payment was confirmed. 

The attacker could also completely steal the order by changing the user ID of the order to their own account, while the author responsibly reported these vulnerabilities to McDelivery and received a bug bounty for their findings, and McDelivery fixed the vulnerabilities.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free