A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.
According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.
The researcher made several attempts to report the vulnerabilities to McDonald’s between December 24 and December 30. Since the company did not respond, the expert decided to disclose the security holes on January 5. While some commended the decision, arguing that companies such as McDonald’s typically ignore such vulnerability reports, others believe he should have given them more time, especially since it was during the holidays.
Several XSS vulnerabilities were discovered on McDonald’s websites in the past year, according to Open Bug Bounty. While two of the flaws were patched after their details were made public, several issues still remain unfixed.
“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications,” said Julien Bellanger, co-founder and CEO of Prevoty. “Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices. I would expect to see more of these critical disclosures in the future.”
Related Reading: WordPress Flaw Allows XSS Attack via Image Filenames
Related Reading: Google Releases New XSS Prevention Tools
Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks