McDonald’s website is insecure and could lead to passwords being stolen, according to Dutch software engineer Tijme Gommers. The attack, reported on Gommers’ blog, is possible thanks to an Angular expression injection vuln present in mcdonalds.com and could be used to steal and ship logins to attackers along with account information should users follow links. IT security experts from Tripwire, AlienVault, Lieberman Software, ESET, Prevoty and VASCO Data Security commented below.
Tim Erlin, Sr. Director, Product Management at Tripwire:
“It’s easy to see why financial information like credit card or bank account details are valuable to criminals, but simple personal information can be a target for cybercrime as well. High quality personal information, including full names and email addresses, can be sold for profit.
It’s important for companies to work with security researchers, rather than against them. While it can be tough to accept vulnerability reports from third-parties, a policy of cooperation generally delivers better results.”
Javvad Malik, Security Advocate at AlienVault:
“There’s no need to ever encrypt passwords. (I made a video on this topic a couple of years ago). The thing with encryption is that it is designed to be two-way. So if you can encrypt something, it is possible to decrypt it. Which is why a one-way hash (with salt) is commonly used to protect passwords. A hash is one way (like a fingerprint) just like a finger can always create the same finerprint, but the fingerprint can’t create the finger. Use of any out-dated or vulnerable software is always a risky prospect, particularly on public-facing websites.
These are not obscure vulnerabilities or zero days. There are well-established standards on how to secure web applications and securely implement user authentication, including how to manage passwords.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“When you’re thinking of places you need to apply special care to your online life’s security, the McDonald’s website doesn’t leap immediately to mind. However, imagine the hapless user who has been exploited on the McDonald’s site finding they can’t supersize their meal today because their bank account has been emptied by a bad guy who had it his way with the person’s bank account since they used that same McDonald’s password on their bank’s site.
Not all Internet services are created equal. All good sense and advice tells you to take more care managing your bank’s website password than a password you use for some fast food joint. You can work out that your Facebook password is a little less important than your bank, but still more important than McDonald’s. What this McDonald’s vulnerability reminds us is that everyone needs to have at least a minimum amount of caution everywhere online. This serves to reinforce the advice users are given all the time – never use the same password for multiple sites, especially not low priority sites. McDonald’s isn’t exactly protecting the world’s most important data on their customer website. All the same, using very old servers and tools on the site which have well known security problems seems irresponsible.”
Mark James, IT Security Specialist at ESET:
Why is it so bad to encrypt passwords on the client?
“It’s hard enough these days keeping your passwords unique and safe from modern threats and cybercriminals without companies making life easy for them. Encrypting passwords on the client side is plain and simply bad security practise. An attacker could, through a phishing attack, fairly easily compromise those passwords and indeed anyone else’s password used on the McDonalds site, as the same key is used for every user. If that user were to use the same username (email address) and password on other websites (that may of course include financial logins) those credentials could easily be stolen and used elsewhere.”
What could be the consequences of running an outdated version of Angular JS?
“Making sure your server and applications are using the latest and indeed secure software is one of the ways of maintaining the level of security that users would expect from the companies entrusted with their safety. Software improves at an astonishing rate and likewise some software is proven to not actually be safe enough for purpose. When this happens the simple truth is you have to move to something safer. Yes, there’s a cost and yes it takes time but ultimately you have an obligation to do all you can to protect your users’ data if you store it. The AngularJS sandbox was removed from version 1.6 onwards as it was found to give a false sense of security, at that point alarm bells should be ringing, time to upgrade and or evaluate the consequences of running outdated insecure versions of software with known security vulnerabilities.”
Julien Bellanger, Co-Founder and CEO at Prevoty:
“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications. Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices. I would expect to see more of these critical disclosures in the future.”
David Vergara, Head of Global Product Marketing at VASCO Data Security:
“This is one more example of a successful exploit that leveraged a combination of IT security vulnerabilities, beginning with reliance on the decades old password. It’s no secret that successful hackers follow the path of least resistance and in this case, they hit the trifecta… password use, dated software and weak encryption. The most effective security solutions today favor multi-factor authentication over the static password, they provide end-to-end client/server encryption, and they secure other weak links like mobile apps from the inside out, with technologies such as RASP.”
John Gunn, VP of Communications at VASCO Data Security:
“This distasteful Big Mac Attack underscores the risks of loyalty programs. Because large dollar transactions aren’t involved in loyalty programs, both consumers and companies take a far too casual approach to security. For the 50% of victims that use the same user name and password for every account, hackers just gained login credentials for their bank accounts and that will spoil anyone’s happy meal. All parties need to work together to accelerate the move from away passwords to multifactor authentication.”