cybersecurity

3376 readers

14 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

[email protected]

I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny (eaton-works.com)

submitted 2 days ago by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

Key Points / Summary

API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits:

🍟The ability to order any number of menu items for ₹1 ($0.01 USD).

🍟The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls.

🍟The ability to retrieve the details of any order.

🍟The ability to track any order in the “On the way” status. You could real-time track the location of the driver for any order.

🍟The ability to download invoices for any order.

🍟The ability to submit feedback for orders that are not your own.

🍟The ability to view admin KPI reports.

🍟Sensitive driver/rider information that could be accessed: 🍔Name

🍔Email address

🍔Phone number

🍔Vehicle license plate number

🍔Profile picture

you are viewing a single comment's thread
view the rest of the comments

[–] dohpaz42 7 points 2 days ago (1 children)

Does anybody know what tool this is?

[–] [email protected] 6 points 2 days ago

Might be fiddler