A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues.
Dutch security enthusiast Tijme Gommers discovered a reflected cross-site scripting (XSS) vulnerability in the search functionality of the McDonald’s website. The flaw can be exploited through a known sandbox escape method in the AngularJS JavaScript framework, and it allows an attacker to load an external JavaScript file that can be designed to steal a user’s password.
According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text.
An attacker can create a link that exploits the XSS vulnerability to load an external JavaScript file. Once the user clicks on the malicious mcdonalds.com link, their password is decrypted and sent to the attacker. Gommers said the vulnerabilities also expose names, addresses and other details.
The researcher made several attempts to report the vulnerabilities to McDonald’s between December 24 and December 30. Since the company did not respond, the expert decided to disclose the security holes on January 5. While some commended the decision, arguing that companies such as McDonald’s typically ignore such vulnerability reports, others believe he should have given them more time, especially since it was during the holidays.
Several XSS vulnerabilities were discovered on McDonald’s websites in the past year, according to Open Bug Bounty. While two of the flaws were patched after their details were made public, several issues still remain unfixed.
“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications,” said Julien Bellanger, co-founder and CEO of Prevoty. “Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices. I would expect to see more of these critical disclosures in the future.”
Related Reading: WordPress Flaw Allows XSS Attack via Image Filenames
Related Reading: Google Releases New XSS Prevention Tools
Related Reading: XSS Flaw Exposed eBay Users to Phishing Attacks