McDonald’s has been caught by Dutch security expert Tijme Gommers running an insecure website that could lead to users passwords being stolen. According to Gommers, by abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address & contact details can be stolen too.
Security experts share their views on the insecurity, with advice for users:
Mark James, IT Security Specialist at ESET explains why this was bad practise from McDonald’s:
“It’s hard enough these days keeping your passwords unique and safe from modern threats and cybercriminals without companies making life easy for them. Encrypting passwords on the client side is plain and simply bad security practise. An attacker could, through a phishing attack, fairly easily compromise those passwords and indeed anyone else’s password used on the McDonalds site, as the same key is used for every user. If that user were to use the same username (email address) and password on other websites (that may of course include financial logins) those credentials could easily be stolen and used elsewhere.”
“Making sure your server and applications are using the latest and indeed secure software is one of the ways of maintaining the level of security that users would expect from the companies entrusted with their safety. Software improves at an astonishing rate and likewise some software is proven to not actually be safe enough for purpose. When this happens the simple truth is you have to move to something safer. Yes, there’s a cost and yes it takes time but ultimately you have an obligation to do all you can to protect your users’ data if you store it. The AngularJS sandbox was removed from version 1.6 onwards as it was found to give a false sense of security, at that point alarm bells should be ringing, time to upgrade and or evaluate the consequences of running outdated insecure versions of software with known security vulnerabilities.”
Tim Erlin, Sr. Director, Product Management at Tripwire:
“It’s easy to see why financial information like credit card or bank account details are valuable to criminals, but simple personal information can be a target for cybercrime as well. High quality personal information, including full names and email addresses, can be sold for profit.
It’s important for companies to work with security researchers, rather than against them. While it can be tough to accept vulnerability reports from third-parties, a policy of cooperation generally delivers better results.”
Javvad Malik, security advocate at AlienVault:
“There’s no need to ever encrypt passwords. (I made a video on this topic a couple of years ago). The thing with encryption is that it is designed to be two-way. So if you can encrypt something, it is possible to decrypt it. Which is why a one-way hash (with salt) is commonly used to protect passwords. A hash is one way (like a fingerprint) just like a finger can always create the same finerprint, but the fingerprint can’t create the finger. Use of any out-dated or vulnerable software is always a risky prospect, particularly on public-facing websites.
These are not obscure vulnerabilities or zero days. There are well-established standards on how to secure web applications and securely implement user authentication, including how to manage passwords.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“When you’re thinking of places you need to apply special care to your online life’s security, the McDonald’s website doesn’t leap immediately to mind. However, imagine the hapless user who has been exploited on the McDonald’s site finding they can’t supersize their meal today because their bank account has been emptied by a bad guy who had it his way with the person’s bank account since they used that same McDonald’s password on their bank’s site.
Not all Internet services are created equal. All good sense and advice tells you to take more care managing your bank’s website password than a password you use for some fast food joint. You can work out that your Facebook password is a little less important than your bank, but still more important than McDonald’s. What this McDonald’s vulnerability reminds us is that everyone needs to have at least a minimum amount of caution everywhere online. This serves to reinforce the advice users are given all the time – never use the same password for multiple sites, especially not low priority sites. McDonald’s isn’t exactly protecting the world’s most important data on their customer website. All the same, using very old servers and tools on the site which have well known security problems seems irresponsible.”