Hackers Lovin’ It As McDonald’s Site Vulnerable To Phishing Attack

McDonalds’ main website is putting customer data including names, addresses, contact details and passwords at risk as a flaw is leaving it vulnerable to phishing attacks, according to Dutch software engineer Tijme Gommers.

A reflected server cross-site-scripting vulnerability means it is possible for hackers to steal and decrypt the passwords and personal information of users who sign up for the McDonald’s newsletter.

Gommers says he tried to contact McDonald’s several times, but decided to ignore the customary 30-day grace period and disclose the vulnerability after failing to receive a reply from the company.

Website flaw

The main issue is that McDonald’s encrypts and stores passwords on the client side, rather than the generally-accepted practice of password hashing. Gommers was able to run a Javascript exploit which got hold of the “penc” value in the form of a cookie which is stored for a year and decrypt the password.

And, because the same key is used for every user, this penc value enables him to decrypt the password of every user. “If there’s one thing you shouldn’t do, it’s decrypting passwords client side (or even storing passwords using two-way encryption).”

Javvad Malik, security advocate at AlienVault said “There’s no need to ever encrypt passwords. The thing with encryption is that it is designed to be two-way. So if you can encrypt something, it is possible to decrypt it. Which is why a one-way hash (with salt) is commonly used to protect passwords.

“A hash is one way (like a fingerprint) just like a finger can always create the same fingerprint, but the fingerprint can’t create the finger. Use of any out-dated or vulnerable software is always a risky prospect, particularly on public-facing websites.

“These are not obscure vulnerabilities or zero days. There are well-established standards on how to secure web applications and securely implement user authentication, including how to manage passwords.”

Jonathan Sander, VP of Product Strategy at Lieberman Software warned that, while the McDonald’s website is by no means a priority when it comes to protecting your online security, password reuse means hackers might be able to access more sensitive parts of your online identity.

“What this McDonald’s vulnerability reminds us is that everyone needs to have at least a minimum amount of caution everywhere online,” he said. “This serves to reinforce the advice users are given all the time – never use the same password for multiple sites, especially not low priority sites.

“McDonald’s isn’t exactly protecting the world’s most important data on their customer website. All the same, using very old servers and tools on the site which have well known security problems seems irresponsible.”

Are you a cyber security pro? Take our quiz and find out!

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Northvolt Mulls US Bankruptcy Protection – Report

Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…

2 days ago

FTC Plans Investigation Into Microsoft Cloud Business – Report

Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC

2 days ago

Programmer Sentenced To Five Years In Prison For Bitcoin Laundering

Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…

2 days ago

Hate Speech Watchdog CCDH To Quit Musk’s X

Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…

3 days ago

Meta Fined €798m Over Alleged Facebook Marketplace Violations

Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…

3 days ago

Elon Musk Rebuked By Italian President Over Migration Tweets

Elon Musk continues to provoke the ire of various leaders around the world with his…

3 days ago