Full Report
First, I love the fries animation they add for the cursor - I got a good kick out of this. The blog post is about McDelivery from McDonald's bug hunting. Digging through the website, they noticed it was Angular. They pulled the routes from the minified JavaScript. With no idea what the IDs looked like on the requests, they just tried 0 and 1. To their horror, they were able to get card information of a random cart on the website with this! They found that the order IDs were sequential by playing around with it. A similar issue was found on the ratings API too. They noticed that when a user goes onto the website, they're given a "Guest" JWT. To me, the proper handling of "Guest" users is complicated. You want the guest to be able to buy things and have their orders be trackable without logging in but it also needs to only be accessible to them. It's a hard problem to solve. The same IDOR on the order ID worked on both the map for the order, receipts and submitting feedback. This seemed to be all over the website. The payment flow for an order worked by clicking add to cart then redirecting to the payment process Juspay. When going to checkout as a POST request, it was creating the order. If you tried to modify the order information it wouldn't work because there is an RSA signature generated on the server side. This prevents tampered the request or state issues. Besides the POST request, there is a PUT request for modifying the order. Unfortunately, this endpoint was vulnerable to a mass assignment vulnerability. Using this, they could update the price and many other fields of the order. Crazy! This same bug could be used to steal people's orders. It was possible to change the destination location of another cart's address and then reassign the order to your account but only after they paid of course. This requires some crazy timing. But, given the other bugs that contain increment IDs and information disclosure, it seems fairly reasonable to pull off. The final bug was an issue with scope on JWT tokens. On the McDelivery admin panel, a single API would use consumer website JWTs. This API had KPI reports on them, leading to a serious information disclosure. Overall, a really fun read! I enjoyed the storistic nature of the post and the notes of complexity on the various components that they tested. The vulnerabilities were nothing crazily fancy but just required some knowledge of the application. For their hardwork, they received $240, which is criminally undervalued.
Analysis Summary
# Vulnerability: Multiple API Flaws in McDelivery (India West & South)
## CVE Details
- **CVE ID**: Not Assigned (Internal Bug Bounty Disclosure)
- **CVSS Score**: Estimated 9.1 (Critical) - Based on unauthorized data access and integrity compromise across a massive user base.
- **CWE**:
- CWE-639: Authorization Bypass Through User-Controlled Key (IDOR)
- CWE-915: Improper Modification of Indoors-only Attributes (Mass Assignment)
- CWE-284: Improper Access Control
## Affected Systems
- **Products**: McDelivery India (West & South) Web and Mobile Applications.
- **Versions**: All versions prior to December 2024.
- **Configurations**: Systems operated specifically by Hardcastle Restaurants Pvt. Ltd. (West & South India franchise). North & East India and international systems are not affected.
## Vulnerability Description
The McDelivery platform suffered from several critical API design flaws:
1. **IDOR (Insecure Direct Object Reference)**: The application used sequential integer IDs for orders, carts, and users. Lack of server-side authorization checks allowed any authenticated (including "Guest" JWT) user to access receipt data, live GPS delivery tracking, and customer PII by simply incrementing ID numbers.
2. **Mass Assignment**: While the initial order creation (POST) used RSA signatures to prevent tampering, the update endpoint (PUT) lacked these protections. This allowed attackers to modify protected fields, such as changing the order total to ₹1 ($0.01) or reassigning an order to a different user ID.
3. **Broken Function Level Authorization**: An admin-level API used to generate KPI reports accepted standard consumer JWTs, leaking sensitive business metrics to any registered user.
## Exploitation
- **Status**: PoC available (demonstrated by researcher); fixed by vendor.
- **Complexity**: Low
- **Attack Vector**: Network
- **Details**: Exploitation required only basic web proxy tools (e.g., Burp Suite) to modify JSON payloads or URL parameters. The sequential nature of IDs made large-scale data scraping trivial.
## Impact
- **Confidentiality**: **High**. Exposure of customer names, addresses, phone numbers, and real-time delivery locations. Access to corporate KPI reports.
- **Integrity**: **High**. Capability to modify order prices to near-zero and hijack paid deliveries by changing the destination address and owner ID.
- **Availability**: **Low**. No direct service disruption identified, though order hijacking could disrupt business operations.
## Remediation
### Patches
- The vendor implemented server-side fixes to all affected API endpoints in late 2024. As these are backend API changes, no user-side app update is strictly required for the fix to take effect, though updating the app is recommended.
### Workarounds
- **Vendor Side**: Implement UUIDs instead of sequential integers and enforce strict "Owner-Only" access policies on all object-returning endpoints.
- **User Side**: No specific workaround available; the vendor claims no customer data was leaked during the vulnerability window.
## Detection
- **Indicators of Compromise**: High-frequency requests to `/order-tracking/` or `/receipts/` with sequential numerical increments.
- **Detection Methods**: Monitor API logs for PUT requests that modify price-related fields or user-assignment fields after an order has been initiated.
## References
- **Researcher Report**: [https://eaton-works[.]com/2024/12/19/exploiting-mcdonalds-india-apis/](https://eaton-works[.]com/2024/12/19/exploiting-mcdonalds-india-apis/)
- **Official Web Portal**: [https://mcdelivery[.]co[.]in/](https://mcdelivery[.]co[.]in/)