Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

McDonald’s Website Flaws Allow Phishing Attacks

A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.

A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.

Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website. The flaw can be exploited through a known sandbox escape method in the AngularJS JavaScript framework, and it allows an attacker to load an external JavaScript file that can be designed to steal a user’s password.

According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.

An attacker can create a link that exploits the XSS vulnerability to load an external JavaScript file. Once the user clicks on the malicious mcdonalds.com link, their password is decrypted and sent to the attacker. Gommers said the vulnerabilities also expose names, addresses and other details.

The researcher made several attempts to report the vulnerabilities to McDonald’s between December 24 and December 30. Since the company did not respond, the expert decided to disclose the security holes on January 5. While some commended the decision, arguing that companies such as McDonald’s typically ignore such vulnerability reports, others believe he should have given them more time, especially since it was during the holidays.

Several XSS vulnerabilities were discovered on McDonald’s websites in the past year, according to Open Bug Bounty. While two of the flaws were patched after their details were made public, several issues still remain unfixed.

“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications,” said Julien Bellanger, co-founder and CEO of Prevoty. “Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices. I would expect to see more of these critical disclosures in the future.”

Related Reading: WordPress Flaw Allows XSS Attack via Image Filenames

Advertisement. Scroll to continue reading.

Related Reading: Google Releases New XSS Prevention Tools

Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...