Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

McDonald’s Website Flaws Allow Phishing Attacks

A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.

A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.

Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website. The flaw can be exploited through a known sandbox escape method in the AngularJS JavaScript framework, and it allows an attacker to load an external JavaScript file that can be designed to steal a user’s password.

According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.

An attacker can create a link that exploits the XSS vulnerability to load an external JavaScript file. Once the user clicks on the malicious link, their password is decrypted and sent to the attacker. Gommers said the vulnerabilities also expose names, addresses and other details.

The researcher made several attempts to report the vulnerabilities to McDonald’s between December 24 and December 30. Since the company did not respond, the expert decided to disclose the security holes on January 5. While some commended the decision, arguing that companies such as McDonald’s typically ignore such vulnerability reports, others believe he should have given them more time, especially since it was during the holidays.

Several XSS vulnerabilities were discovered on McDonald’s websites in the past year, according to Open Bug Bounty. While two of the flaws were patched after their details were made public, several issues still remain unfixed.

“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications,” said Julien Bellanger, co-founder and CEO of Prevoty. “Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices. I would expect to see more of these critical disclosures in the future.”

Related Reading: WordPress Flaw Allows XSS Attack via Image Filenames

Related Reading: Google Releases New XSS Prevention Tools

Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.