Reg comments21

McDonald's forget hash, browns off security experts

Golden Arches website's security doesn't pass the sensible surfing taste test

Dutch software engineer Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and borked password controls in McDonald's main website that could be fodder for phishing attacks.

The attack, reported on Gommers' blog, is possible thanks to an Angular expression injection vuln present in mcdonalds.com and could be used to steal and ship logins to attackers along with account information should users follow links.

The restaurant accounts are basic and appear useful only for McDonald's fans who sign up for the company's newsletters.

McDonald's did not hash user passwords and instead encrypted client-side passwords opening avenues for the credentials to be stolen by interested hackers.

"I would say that storing the password in the browser cookies in a reversible form is no better or worse than MD5'ing passwords as 'remember me' tokens," says Open Web Application Security Project (OWASP) director Andrew van der Stock.

"It's just not leading practice and we don't do that any more.

"Yes, the reflected cross-site scripting is bad, which has terrible outcomes for users, but it is made worse by the fact that the user's password is then remotely available to any attacker who bothers to send out a phish."

Van der Stock says McDonald's could have used JSON web tokens to create unique, signed 'remember me' tokens for users.

McDonalds is also running an old outdated version of JBoss, possibly dating back to 2010. The version 2.1.10 appears under the site's forgot password link.

Gommers attempted to report the bug to McDonalds via its Twitter account, through its Netherlands office, bug bounty service HackerOne, and on the restaurant's main telephone line.

The disclosure attempts were over the festive break, however, starting Christmas Eve, and finishing 30 December, before Gommers' published the disclosure on 5 January.

That triggered a broad rebuke from the security community which generally operates on a 30-day minimum disclosure and patch deadline. ®

Biting the hand that feeds IT © 1998–2017