McDonalds serving up Security Vulnerabilities

Next story


A Dutch security expert has discovered a massive vulnerability in McDonald’s website, which could allow hackers to steal user’s credentials.

McDonald’s is a global giant, being one of the world’s largest fast-food restaurant chains, serving approximately 68 million customers daily in 119 countries with over 36,000 outlets.

Dutch security expert, Tijme Gommers, discovered a vulnerability within McDonald’s website and informed them that customer’s passwords, and user details could be hacked and stolen from their website.

It is not just poor security practice on user’s details that is raising eyebrows; it is also the outdated version of Angular JS that the company runs on its website: AngularJS is software for the back end of their website, which before version 1.6, runs insecure cryptography.

The vulnerabilities lie in the client end encryption, and insecure cryptographic storage, which allows for a reflected server cross-site-scripting, making it possible to steal and decrypt the McDonald’s user passwords.

Mark James, ESET IT Security Specialist, discusses the consequences of running outdated software.

“It’s hard enough these days keeping your passwords unique and safe from modern threats and cybercriminals without companies making life easy for them.

“Encrypting passwords on the client side is plain and simply bad security practise.

“It could enable an attacker who, through a phishing attack, could fairly easily compromise those passwords, and indeed anyone else’s password used on the McDonalds site as the same key is used for every user.

“If that user were to use the same username or email address and password on other websites, which may include financial logins, those credentials could easily be stolen and used elsewhere.

“Making sure your server and applications are using the latest, and indeed secure, software is one of the ways of maintaining the level of security that users would expect from the companies entrusted with its safety.

“Software improves at an astonishing rate and likewise some software is proven to not actually be safe enough for purpose.

“When this happens the simple truth is you have to move to something safer; yes there’s a cost and of course it takes time, but ultimately you have an obligation to do all you can to protect your users data if you store it.

“The AngularJS sandbox was removed from version 1.6 onwards as it was found to give a false sense of security, at that point alarm bells should be ringing - time to upgrade and/or evaluate the consequences of running outdated insecure versions of software with known security vulnerabilities.”

Does it worry you that a company as large as McDonald’s doesn’t properly secure its user’s data? Let us know on Twitter @ESETUK

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.