A series of API flaws in McDelivery India made it possible to order food for a penny, hijack other people’s delivery orders, view user information, and more.
Cool article and write-up. But just $240!? This guys saved them a bundle - you’d think they’d at least pay a week of what they should have paid someone on their security team.
Notice a few red flags. 1) they were contacted before the system was rolled out. Before anyone else could look for bugs 2) it is reported by techcrunch and is trending tech news 3) the exploits are rudimentary 90s era mistakes that even LLMs don’t make these days
So it’s likely that they paid McDonald’s India to pretend to have horrible practices. $240 is another tactic to appear good and trustworthy. That brings traffic to their blue team company site, effective advertising. Standard fakery that security removeds utilize to spread the FUD to create demand for their services.
As a response to 3, I’m a professional pentester. I see several of the mistakes mentioned more than I’d like. Stuff like that still happens on the regular.
I typically get higher profile brands similar to McDonald’s as well.
Even better for your career is being an actual researcher with a good grasp on heap grooming, MAC circumvention instead of spreading FUD over something that can easily be detected with burp.
Cool article and write-up. But just $240!? This guys saved them a bundle - you’d think they’d at least pay a week of what they should have paid someone on their security team.
Notice a few red flags. 1) they were contacted before the system was rolled out. Before anyone else could look for bugs 2) it is reported by techcrunch and is trending tech news 3) the exploits are rudimentary 90s era mistakes that even LLMs don’t make these days
So it’s likely that they paid McDonald’s India to pretend to have horrible practices. $240 is another tactic to appear good and trustworthy. That brings traffic to their blue team company site, effective advertising. Standard fakery that security removeds utilize to spread the FUD to create demand for their services.
As a response to 3, I’m a professional pentester. I see several of the mistakes mentioned more than I’d like. Stuff like that still happens on the regular.
I typically get higher profile brands similar to McDonald’s as well.
Let me guess, you signed an NDA, and won’t tell anyone which brands had badly configured access control in their web apps?
Each red flag is okay, but all together is rather strange. It’s kinda classic to say that pajeets write shitty code.
Of course I’m not telling you my fucking clients. My career path requires a modicum of professionalism
Good, because it’s not of interest.
Even better for your career is being an actual researcher with a good grasp on heap grooming, MAC circumvention instead of spreading FUD over something that can easily be detected with burp.