A leak in an API used in the fast food restaurant's mobile app is exposing personal information.
A leak in an API used in the fast food restaurant's mobile app is exposing personal information.

A flaw in a mobile app is leading to some unappetizing offerings for McDonald's customers in India, according to a report on Data Breach Today.

A leak in an API used in the fast food restaurant's mobile app exposed personal information of more than 2.2 million of its customers. The data exposed included not only names, email addresses, phone numbers, home addresses and geolocations of those homes, but links to subscribers' social media profiles as well.

The bug was detected by Fallible, a security research startup, which said it contacted McDonald's India on Feb. 7 to let the chain know that user information was exposed and could be pulled from the API using a curl request.

"An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information," Fallible stated in a blog post.

But, even after Fallible sent another alert to McDonald's, the leak was still exposing data, Fallible reported, so it went public on March 18 with a blog post. McDonald's responded next day with a tweet, but whether the bug was patched remains has yet to be determined.

India's data protection laws – and penalties for violations – are less stringent than in the United States and European Union, leading some to comment that this is the cause of companies there ignoring user data protection.

"We have in the past discovered more than 50 instances of data leaks in several Indian organizations," Fallible wrote on its post. "In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs."