A cross-site scripting flaw in McDonald’s website could allow an attacker to steal and decrypt a password from a registered user.
According to the research published on 6th January by Tijme Gommers, by abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability, it is possible to steal and decrypt a password, while personal details like the user's name, address and contact details can be stolen too.
Gommers revealed that there is code to decrypt the password on the client side on the sign-in page, and said that “McDonald's uses CryptoJS to encrypt and decrypt sensitive data” using the same key. It uses the same key for every user, so an attacker only has to steal the persistent cookie to decrypt someone's password.
The fast food chain is also running an outdated version of JBoss, as version 2.1.10 appears under the website's forgot password link.
Lee Munson, security researcher at Comparitech, said: “McDonald’s decision to encrypt user passwords on the client is a strange one and its customers, especially those who reuse the same password on all of their accounts, are highly unlikely to be lovin’ it. That’s because it allows passwords to be decrypted relatively easily and the same key gives access to every users’ credentials.
“On top of that, the food chain’s decision to stick with an older version of Angular JS is also a strange one – new releases often arrive as much for reasons of security as they do for feature upgrades. By running an older version, McDonald’s is simply inviting a hacker to come along and find a handful of vulnerabilities.
“Lastly, the fact that the restaurant chain is also running an outdated version of Jboss would seem to highlight issues at the version control or, worse, security team, level.”
Gommers claimed that he attempted to report the bug to McDonalds via its Twitter account, through its Netherlands office, bug bounty service HackerOne, and on the restaurant's main telephone line, reported The Register. However these were done during between 24th and 30th December before Gommers' published the disclosure on 5 January. Bugcrowd CEO Casey Ellis told Infosecurity via Twitter that there is no rule to the 30 day disclosure process not including holiday dates, "but there's etiquette and common-sense" and he suspected that another eight days grace wouldn't have hurt much here.
Javvad Malik, security advocate at AlienVault, said: “There’s no need to ever encrypt passwords. The thing with encryption is that it is designed to be two-way so if you can encrypt something, it is possible to decrypt it which is why a one-way hash (with salt) is commonly used to protect passwords.
“A hash is one way (like a fingerprint) just like a finger can always create the same fingerprint, but the fingerprint can’t create the finger. Use of any outdated or vulnerable software is always a risky prospect, particularly on public-facing websites.”