A series of API flaws in McDelivery India made it possible to order food for a penny, hijack other people’s delivery orders, view user information, and more.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

API flaws in McDonald’s McDelivery system in India allowed exploits such as ordering food for ₹1 ($0.01 USD), hijacking/redirecting delivery orders, accessing sensitive driver information, and downloading order details and invoices. These vulnerabilities, discovered by the author in an attempt to enhance food industry security, were reported and efficiently addressed through McDonald's India’s bug bounty program. The fixes were implemented server-side, ensuring that the system is now secure for users.

I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny

The big bite: Ordering anything for a penny

<p>That’s why you should not cut corners during software development.</p>


<p>Proceeds to buy 120 McDonald’s at the fair price.</p>
