The data comes from McDonalds India's delivery app, McDelivery. Although McDelivery has assured customers that no financial information was leaked, the data apparently includes names, email addresses, phone numbers, home addresses, social media links and “accurate home coordinates”. A simple curl request to an API endpoint could furnish an illegitimate adversary with plenty of information about customers without authentication.
Fallible notified McDonald's on 7 February and the company's continued efforts to get the problem fixed failed. On 18 March, Fallible had been complaining about the leak for well over a month with little response and decided to publish its findings.
The US fast food giant have reportedly updated the app and fixed the problem.
McDonald's sent a statement to the Times of India saying that,“The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald's India, we are committed to our users' data privacy and protection." Whether this amounts to an admission of guilt, or a flat out denial is not clear.
The lack of regulation in data handling, Fallible's blogpost noted, has led to low expectations: “The lack of strong data protection and privacy laws or penalties in India, unlike the European Union, United States or Singapore has led to companies ignoring user data protection.”
The company admits, “we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs.”