McDelivery, McDonald's India application, was allegedly leaking personal data - including name, email addresses, phone number, home address, home co-ordinates and social profile links - for as many as 2.2 million of its users, according to Fallible, a cyber security company. In the blog post, Fallible says that it had contacted McDonald's on the 4th of February 2017, received an acknowledgement from a Senior IT Manager at the company on the 13th of February, but as of the 18th of March, McDonald's had still not fixed the application, and at the time that Fallible disclosed the vulnerability online, they hadn't received an update from the company. The issue, according to Fallible, was "An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information." This is probably not what McDonald's had in mind when they wrote in their McDelivery app description: "We may disclose certain personally identifiable information, to third party service providers, listed below - - information you provide us such as name, email, mobile phone number. - information we collect as you access and use our service - device information, location and network carrier." A subsequent statement issued by McDonald's India (South and West), also sent to MediaNama, the company has clearly not denied that this information is being leaked by the application, and only points out that financial information (credit card details, wallet passwords or bank account information) is not…
