CUT-PRICE BURGER EMPORIUM McDonalds has been caught running an insecure website that could lead to users passwords being hamburgled. Or stolen, in plain English.
The vulnerability was uncovered by Dutch security expert Tijme Gommers, who informed McDonalds, but decided against waiting the customary 30 days before telling everyone else as the company didn't condescend to reply to his security reports.
The problem, claims Gommers, isn't just the shonky practice of storing user passwords on the client, but also the outdated version of Angular JS that the company runs on its website.
"By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald's user," he wrote in a blog uncovering the security shortcoming.
Rather than hash user passwords like all the cool kidz do, McDonald's instead encrypts passwords on the client - a somewhat frowned-upon security practice, to say the least.
Because the same key is used to decrypt the password of every user, it's not beyond the bounds of possibility that an attacker can use a phishing attack to compromise McDonalds' website passwords. It's also not beyond the bounds of possibility that the kind of person who has a McDonalds website login also uses the same email address/password combination with scores of other websites.
The AngularJS security shortcomings, meanwhile, concerns the environment's code-execution sandbox, which was removed in move recent versions.
"All AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn't really safe. In fact, it shouldn't be trusted at all. It even got removed in version 1.6 because it gave a false sense of security," added Gommers.
This has been known for more than a year and is well-covered here.
And AngularJS isn't the only outdated software that McDonalds is running: it's also running a near-seven-year-old version of JBoss.
Maybe, like their burgers, McDonalds thinks software also lasts for centuries without going mouldy? µ
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)