McDonald’s website is insecure and could lead to passwords being stolen, according to Dutch software engineer Tijme Gommers. The attack, reported on Gommers’ blog, is possible thanks to an Angular expression injection vuln present in mcdonalds.com and could be used to steal and ship logins to attackers along with account information should users follow links. IT security experts from Tripwire, AlienVault, Lieberman Software, ESET, Prevoty and VASCO Data Security commented below.
Tim Erlin, Sr. Director, Product Management at Tripwire:
It’s important for companies to work with security researchers, rather than against them. While it can be tough to accept vulnerability reports from third-parties, a policy of cooperation generally delivers better results.”
Javvad Malik, Security Advocate at AlienVault:
These are not obscure vulnerabilities or zero days. There are well-established standards on how to secure web applications and securely implement user authentication, including how to manage passwords.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
Not all Internet services are created equal. All good sense and advice tells you to take more care managing your bank’s website password than a password you use for some fast food joint. You can work out that your Facebook password is a little less important than your bank, but still more important than McDonald’s. What this McDonald’s vulnerability reminds us is that everyone needs to have at least a minimum amount of caution everywhere online. This serves to reinforce the advice users are given all the time – never use the same password for multiple sites, especially not low priority sites. McDonald’s isn’t exactly protecting the world’s most important data on their customer website. All the same, using very old servers and tools on the site which have well known security problems seems irresponsible.”
Mark James, IT Security Specialist at ESET:
“It’s hard enough these days keeping your passwords unique and safe from modern threats and cybercriminals without companies making life easy for them. Encrypting passwords on the client side is plain and simply bad security practise. An attacker could, through a phishing attack, fairly easily compromise those passwords and indeed anyone else’s password used on the McDonalds site, as the same key is used for every user. If that user were to use the same username (email address) and password on other websites (that may of course include financial logins) those credentials could easily be stolen and used elsewhere.”
What could be the consequences of running an outdated version of Angular JS?
“Making sure your server and applications are using the latest and indeed secure software is one of the ways of maintaining the level of security that users would expect from the companies entrusted with their safety. Software improves at an astonishing rate and likewise some software is proven to not actually be safe enough for purpose. When this happens the simple truth is you have to move to something safer. Yes, there’s a cost and yes it takes time but ultimately you have an obligation to do all you can to protect your users’ data if you store it. The AngularJS sandbox was removed from version 1.6 onwards as it was found to give a false sense of security, at that point alarm bells should be ringing, time to upgrade and or evaluate the consequences of running outdated insecure versions of software with known security vulnerabilities.”
Julien Bellanger, Co-Founder and CEO at Prevoty:
.
.
David Vergara, Head of Global Product Marketing at VASCO Data Security:
.
John Gunn, VP of Communications at VASCO Data Security:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.