back to article McDonald's India's delivery app was a golden honeypot

McDonald's India has 'fessed up that its app spaffed personal data to all and sundry and has urged users to install an update. Over the weekend, a post at Medium said the company's McDelivery app in India was leaking user data through a misconfigured server. The leaks, disclosed by payment security company Fallible.co, “ …

  1. redpawn Silver badge

    Honey Pot?

    Sounds to me like the opposite of a trap.

    1. Destroy All Monsters Silver badge

      Re: Honey Pot?

      It's a Harry Pot. Pure magic!

      1. JetSetJim Silver badge

        Re: Honey Pot?

        > It's a Harry Pot. Pure magic!

        Unlike Hari Puttar

  2. Anonymous Coward
    Anonymous Coward

    "Value your privacy"

    But not so much as the CTO values his bollocks. If a BOFH could just link these two value systems (perhaps via power MOSFETs) then once the unpleasant smell of scorched hair dissipated we could advance beyond platitudes.

    1. danbishop

      Re: "Value your privacy"

      Hair? How 80's ;-)

  3. Mage Silver badge

    Too cute

    "disclosed by payment security company Fallible.co"

  4. Your alien overlord - fear me

    I wonder

    if their UK app they've just released is as secure? And no, it only allows you to order when in the queue in store so in theory shouldn't store anything like your home address!!!

    1. Aitor 1

      Re: I wonder

      But of course they wanted to steal all of that.

    2. Steve Davies 3 Silver badge
      Joke

      Re: I wonder

      They already have your Home Address, NI Number, Bank and Credit Card details and even your inside leg and bust measurements(delete as applicable or not). All ready for you when you apply for a position at the Golden Arches home for miscreants, wasters and idle sods.

      {see Icon}

      1. ridley

        Re: I wonder

        Don't be daft, anyone that goes to McDonalds enough to require the use of an App will have a bust regardless of gender.

    3. Alumoi Silver badge

      Re: I wonder

      Of course it wouldn't store your home address, it just slurps and sends to the mothership all it can eat!

    4. TheProf Silver badge
      Facepalm

      Re: I wonder

      "only allows you to order when in the queue in store "

      Having never ordered (or eaten) anything from McDonalds I'm wondering how useful it would be to order using a phone app while waiting in a queue. Is it any quicker?

      The 'normal' situation appears to be like that in Argos. Queue to order, queue to collect.

      I'm assuming that one still needs to queue to pay for the order. If so, where's the advantage to the customer?

      Ah, stupid me. I was thinking about it from a customers point of view. Obviously the app is for the benefit of McDonalds.

      (Slaps forehead as the real world slowly sinks in.)

      1. Anonymous Coward
        Anonymous Coward

        Re: I wonder

        > Having never ordered (or eaten) anything from McDonalds I'm wondering how useful it would be to order using a phone app while waiting in a queue. Is it any quicker?

        It's for when the store is in a busy tourist city in one country; the staff come from another country; and the customers from a third. Language becomes optional.

  5. Anonymous Coward
    Joke

    See....

    ...that's what happens when you outsource your IT to the USA.

  6. Anonymous Coward
    Anonymous Coward

    And so we have a new term..

    .. following in the wake of McJob, we now have a McFuckup.

    Well done.

  7. tiggity Silver badge

    Slurpage

    McD love slurpage.

    I was once in situation where wifi connection would have been useful (not spot, needed to ring or text SO but wifi would let me use VOIP solution)

    There was McD nearby and it had supposedly "open" wifi, however as soon as I tried to use it was a login scenario that wanted various personal data before you could get credentials to login.

    So my phone call had to wait, did not want my details sloshing around in their database

    1. Anonymous Coward
      Anonymous Coward

      Re: Slurpage

      Oh no, someone wanted something in return for providing a service.

      "Open" simply means you don't need the wireless key, you can still whack a captive portal in the way,

  8. Gordon Pryra

    Far easier to buy it

    Slightly "tongue in cheek"

    The data is not ordered and you would need to know the name of the person you are requesting data about. Its far easier to just buy the information from the company holding it. That way it would be nicely ordered and probably very cheap for the whole database.

    More Seriously.

    People REALLY need to look at what things mean when they accept the access requirements from an app they install.

    McDonalds is NOT your friend, why the hell would you trust them with the very deep access that this app requires?

    Ignoring the fact that they treat security much like they treat nutrition, a private company exists to make money, and asking for your data is .... to make them money.

  9. Anonymous Coward
    Anonymous Coward

    If something is free, YOU are the product being sold

    That is all.

  10. Destroy All Monsters Silver badge
    Trollface

    Over 100 gazillion requestburgers served

    McDonalds India gave the usual “value your privacy” explanation

    It probably tasked like chicken.

    1. Tom 7 Silver badge

      Re: Over 100 gazillion requestburgers served

      That would be a first for them!

  11. Anonymous Coward
    Anonymous Coward

    I deduce it was the clown that wrote the app and the hamburglar stole the data.

  12. Adam JC

    What a monumental McFuckup!

  13. an it guy

    Quite a few things are bad here

    1. user profile without authentication

    2. data served over http, not SSL

    3. complete address information is not needed to process an order. the only part needed is the house number and the numbers from the postcode. that's what actually gets matched. the rest is fluff to make the user know it's their address.

    4. All that and a global company has not been responsive on security issues.

    But seriously, a delivery service? when I've (really rarely) had stuff from the "yellow crayon arches", I see that nuggets are lethally hot, but everything else is lukewarm. delivery will only help the lukewarm get even more so...

  14. Anonymous Coward
    Anonymous Coward

    cheap tat

    That ProcessUser.svc end point is a .NET WCF service hosted on microsoft iis. Not all stuff developed on top of Microsoft's stack is rubbish and it is 100% possible to create something reasonably secure if it's done right. This is flat out garbage and stinks of "we need a service layer, any .Net developer can develop one of those..hire a cheap one"

  15. Mr Dogshit

    I'm lovin' it™

  16. Anonymous Coward
    Anonymous Coward

    Chicken McFuckit

    Im off to KFC now. Fuck it.

  17. Jonathan 27 Silver badge

    Honestly, in India, I doubt many people will care. Privacy isn't something that a lot of people value. Only really the very rich can afford privacy over there.

    1. agnii

      Privacy, not a right here.

      Agree not too finicky about privacy here, I think that can be said for any poor/third world country, but I wonder why it's such a big deal in all the 'advanced' nations. I mean all the people are doing the same thing. From buying/aspiring to same phones to eating the same food.

      Recently Finance minster said privacy is not a fundamental right and people cannot demand it, in response to leakage of Aadhar data.

  18. Anonymous Coward
    Anonymous Coward

    Interesting choice of supplier for another one of McDonalds India apps and hospitality/communication skills training!

    Supplier: http://www.chroniclelive.co.uk/news/north-east-news/fraudster-tony-hindhaugh-lied-salary-1464719

    App: https://itunes.apple.com/us/app/smex-hospitality/id1166499529?mt=8

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020