A series of API flaws in McDelivery India made it possible to order food for a penny, hijack other people’s delivery orders, view user information, and more.
Key Points / Summary

API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits:

🍟The ability to order any number of menu items for ₹1 ($0.01 USD).

🍟The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.

🍟The ability to retrieve the details of any order.

🍟The ability to track any order in the “On the way” status. You could real-time track the location of the driver for any order.

🍟The ability to download invoices for any order.

🍟The ability to submit feedback for orders that are not your own.

🍟The ability to view admin KPI reports.

🍟Sensitive driver/rider information that could be accessed: 🍔Name

🍔Email address

🍔Phone number

🍔Vehicle license plate number

🍔Profile picture