McDonald’s Website Flaw Exposes User Passwords

Dutch software engineer Tijme Gommers recently reported that it’s possible to steal and decrypt McDonald’s users’ passwords as well as their names, addresses and contact details, due to an insecure cryptographic storage vulnerability and a reflected server XSS vulnerability.

Notably, Gommers pointed out, the site’s sign in page provides an option to “Remember my password,” rather than the usual “Remember me.”

“I searched through all the JavaScript for the keyword password and I found some interesting code that decrypts the password,” Gommers wrote. “If there’s one thing you shouldn’t do, it’s decrypting passwords client side (or even storing passwords using two-way encryption).”

Gommers tried to notify McDonald’s of the flaw via its Twitter account, through its Netherlands office, through the bug bounty service HackerOne, and via its main phone line, The Register reports, but he received no response.

Lieberman Software vice president Jonathan Sander told eSecurity Planet by email that the vulnerability should serve as a reminder that it’s important to maintain at least a minimum of caution everywhere online. “This serves to reinforce the advice users are given all the time — never use the same password for multiple sites, especially not low priority sites,” he said.

“Because large dollar transactions aren’t involved in loyalty programs, both consumers and companies take a far too casual approach to security,” VASCO Data Security vice president of communications John Gunn said in a statement. “For the 50 percent of victims that use the same user name and password for every account, hackers just gained login credentials for their bank accounts and that will spoil anyone’s happy meal.”

“All parties need to work together to accelerate the move from away passwords to multifactor authentication,” Gunn added.

According to the results of a recent Gemalto survey of 9,000 consumers worldwide, just 29 percent of respondents believe companies are taking protection of their personal data very seriously, and 58 percent believe their data will be stolen at some point.

The majority of consumers say they would stop using a retailer (60 percent), bank (58 percent) or social media site (56 percent) if it suffered a data breach.

Still, 80 percent of consumers use social media despite 59 percent believing those networks pose a great risk to their data; and 87 percent use online or mobile banking, despite 34 percent believing they leave them vulnerable to cyber criminals.

“Consumers have clearly made the decision that they are prepared to take risks when it comes to their security, but should anything go wrong they put the blame with the business,” Gemalto CTO for data protection Jason Hart said in a statement. “The modern-day consumer is all about convenience, and they expect businesses to provide this, while also keeping their data safe.”

“With the impending threats of consumers taking legal action against companies, an education process is clearly needed to show consumers the steps they are taking to protect their data,” Hart added. “Implementing and educating about advanced protocols like two-factor authentication and encryption solutions, should show consumers that the protection of their personal data is being taken very seriously.”

A recent eSecurity Planet article examined seven best practices for database security.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles