McDonald's India's delivery app was a golden honeypot McDonald's India has 'fessed up that its app spaffed personal data to all and sundry and has urged users to install an update. Over the weekend, a post at Medium said the company's McDelivery app in India was leaking user data through a misconfigured server. The leaks, disclosed by payment security company Fallible.co, “ …
They already have your Home Address, NI Number, Bank and Credit Card details and even your inside leg and bust measurements(delete as applicable or not). All ready for you when you apply for a position at the Golden Arches home for miscreants, wasters and idle sods.
{see Icon}
"only allows you to order when in the queue in store "
Having never ordered (or eaten) anything from McDonalds I'm wondering how useful it would be to order using a phone app while waiting in a queue. Is it any quicker?
The 'normal' situation appears to be like that in Argos. Queue to order, queue to collect.
I'm assuming that one still needs to queue to pay for the order. If so, where's the advantage to the customer?
Ah, stupid me. I was thinking about it from a customers point of view. Obviously the app is for the benefit of McDonalds.
(Slaps forehead as the real world slowly sinks in.)
> Having never ordered (or eaten) anything from McDonalds I'm wondering how useful it would be to order using a phone app while waiting in a queue. Is it any quicker?
It's for when the store is in a busy tourist city in one country; the staff come from another country; and the customers from a third. Language becomes optional.
McD love slurpage.
I was once in situation where wifi connection would have been useful (not spot, needed to ring or text SO but wifi would let me use VOIP solution)
There was McD nearby and it had supposedly "open" wifi, however as soon as I tried to use it was a login scenario that wanted various personal data before you could get credentials to login.
So my phone call had to wait, did not want my details sloshing around in their database
Slightly "tongue in cheek"
The data is not ordered and you would need to know the name of the person you are requesting data about. Its far easier to just buy the information from the company holding it. That way it would be nicely ordered and probably very cheap for the whole database.
More Seriously.
People REALLY need to look at what things mean when they accept the access requirements from an app they install.
McDonalds is NOT your friend, why the hell would you trust them with the very deep access that this app requires?
Ignoring the fact that they treat security much like they treat nutrition, a private company exists to make money, and asking for your data is .... to make them money.
1. user profile without authentication
2. data served over http, not SSL
3. complete address information is not needed to process an order. the only part needed is the house number and the numbers from the postcode. that's what actually gets matched. the rest is fluff to make the user know it's their address.
4. All that and a global company has not been responsive on security issues.
But seriously, a delivery service? when I've (really rarely) had stuff from the "yellow crayon arches", I see that nuggets are lethally hot, but everything else is lukewarm. delivery will only help the lukewarm get even more so...
That ProcessUser.svc end point is a .NET WCF service hosted on microsoft iis. Not all stuff developed on top of Microsoft's stack is rubbish and it is 100% possible to create something reasonably secure if it's done right. This is flat out garbage and stinks of "we need a service layer, any .Net developer can develop one of those..hire a cheap one"
Agree not too finicky about privacy here, I think that can be said for any poor/third world country, but I wonder why it's such a big deal in all the 'advanced' nations. I mean all the people are doing the same thing. From buying/aspiring to same phones to eating the same food.
Recently Finance minster said privacy is not a fundamental right and people cannot demand it, in response to leakage of Aadhar data.
Interesting choice of supplier for another one of McDonalds India apps and hospitality/communication skills training!
Supplier: http://www.chroniclelive.co.uk/news/north-east-news/fraudster-tony-hindhaugh-lied-salary-1464719
App: https://itunes.apple.com/us/app/smex-hospitality/id1166499529?mt=8
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
