It is ridiculous how much information we voluntarily give away to the mobile apps trusting that they will keep this data safe.
Just to give you an example, the McDonald’s delivery app takes your full name, date of birth, the exact coordinates of where you live, your complete address, your email ID, and your phone number.
Now imagine that anyone, and we mean ANYONE, with a laptop can access the above data, YOUR personal data using the McDonald’s App.
That’s completely possible and even easy to do.
A Hackernoon blog on Medium titled McDonalds India is leaking 2.2 million users data explains just how about anyone can access anyone’s personal data. And McDonald’s has known this for one month now and has done nothing about it.
The mobile app has a publicly accessible API. Which basically means that anyone can tweak the lines of the code and access private user data quite easily.
The user data is not protected at all. And the security company that found this even contacted McDonald’s about this shocking leak, they did nothing about it apart from acknowledging it.
The security company released the information as a part of their Responsible Disclosure Policy.
They even posted a timeline of their communication with McDonald’s –
Disclosure Timeline:
- 4th Feb’17 — Fallible reported the issue to McDelivery.
- 13th Feb’17 — Issue acknowledged by McDelivery IT Manager.
- 7th March’17 — Fallible sent an email asking about the status, no reply from McDelivery.
- 17th March’17 — Fallible sent another email; No response from McDelivery.
- 18th March’17 — No response yet. McDelivery users are still vulnerable. Public disclosure.
Data protection laws are extremely lax in India. A flaw like this can land the company and the App developers in jail in the USA and European countries. But this is India, so McDonald’s can literally sit on it for more than a month.
If you have installed the Application, it would be prudent to uninstall it ASAP.
Just imagine if your exact address gets into the hands of a stalker.