This is published under our responsible disclosure policy
The McDonald’s India app, McDelivery is leaking personal data for more than 2.2 million of its users which includes name, email address, phone number, home address, accurate home co-ordinates and social profile links. We contacted McDelivery on 7th Feb and received an acknowledgement from a Senior IT Manager on 13th Feb (33 days ago). The issue has not been fixed yet and our continued effort to get an update for the fix after the initial acknowledgement has failed.
An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.
Read more on Hackernoon.
Update: McDonald’s responds.