I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny

> API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits: > > 🍟The ability to order any number of menu items for ₹1 ($0.01 USD). > > 🍟The ability to steal/hijack/redirect other people’s delivery orders through a specific sequence of carefully timed API calls. > > 🍟The ability to retrieve the details of any order. > > 🍟The ability to track any order in the “On the way” status. You could real-time track the location of the driver for any order. > > 🍟The ability to download invoices for any order. > > 🍟The ability to submit feedback for orders that are not your own. > > 🍟The ability to view admin KPI reports. > > 🍟Sensitive driver/rider information that could be accessed: > 🍔Name > > 🍔Email address > > 🍔Phone number > > 🍔Vehicle license plate number > > 🍔Profile picture