[BreachExchange] McDonald’s website insecurity leaves users passwords vulnerable

Inga Goddijn inga at riskbasedsecurity.com
Tue Jan 17 15:23:41 EST 2017


http://www.itsecurityguru.org/2017/01/17/mcdonalds-website-insecurity-leaves-users-passwords-vulnerable/

McDonald’s has been caught by Dutch security expert Tijme Gommers
<https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users> running
an insecure website that could lead to users passwords being stolen.
 According to Gommers, by abusing an insecure cryptographic storage
vulnerability (link
<https://www.owasp.org/index.php/Top_10_2007-Insecure_Cryptographic_Storage>)
and a reflected server cross-site-scripting vulnerability (link
<https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29>)
it is possible to steal and decrypt the password from a McDonald’s user.
Besides that, other personal details like the user’s name, address &
contact details can be stolen too.

Security experts share their views on the insecurity, with advice for users:

*Mark James, IT Security Specialist at ESET
<http://www.eset.co.uk/> explains why this was bad practise from
McDonald’s:*

“It’s hard enough these days keeping your passwords unique and safe from
modern threats and cybercriminals without companies making life easy for
them. Encrypting passwords on the client side is plain and simply bad
security practise. An attacker could, through a phishing attack, fairly
easily compromise those passwords and indeed anyone else’s password used on
the McDonalds site, as the same key is used for every user. If that user
were to use the same username (email address) and password on other
websites (that may of course include financial logins) those credentials
could easily be stolen and used elsewhere.”

“Making sure your server and applications are using the latest and indeed
secure software is one of the ways of maintaining the level of security
that users would expect from the companies entrusted with their safety.
Software improves at an astonishing rate and likewise some software is
proven to not actually be safe enough for purpose. When this happens the
simple truth is you have to move to something safer. Yes, there’s a cost
and yes it takes time but ultimately you have an obligation to do all you
can to protect your users’ data if you store it. The AngularJS sandbox was
removed from version 1.6 onwards as it was found to give a false sense of
security, at that point alarm bells should be ringing, time to upgrade and
or evaluate the consequences of running outdated insecure versions of
software with known security vulnerabilities.”

*Tim Erlin, Sr. Director, Product Management at Tripwire
<http://www.tripwire.com/>:*

“It’s easy to see why financial information like credit card or bank
account details are valuable to criminals, but simple personal information
can be a target for cybercrime as well. High quality personal information,
including full names and email addresses, can be sold for profit.

It’s important for companies to work with security researchers, rather than
against them. While it can be tough to accept vulnerability reports from
third-parties, a policy of cooperation generally delivers better results.”

*Javvad Malik, security advocate at AlienVault
<https://www.alienvault.com/?utm_source=google&utm_medium=cpc&utm_term=kwd-54306795668&utm_campaign=BRAND-EMEA-GGL-SE&gclid=CJnU9Pz9xtECFRQ8GwodSQ8PKw>:*

“There’s no need to ever encrypt passwords. (I made a video
<https://youtu.be/FYfMZx2hy_8> on this topic a couple of years ago). The
thing with encryption is that it is designed to be two-way. So if you can
encrypt something, it is possible to decrypt it. Which is why a one-way
hash (with salt) is commonly used to protect passwords. A hash is one way
(like a fingerprint) just like a finger can always create the same
finerprint, but the fingerprint can’t create the finger. Use of any
out-dated or vulnerable software is always a risky prospect, particularly
on public-facing websites.

These are not obscure vulnerabilities or zero days. There are
well-established standards on how to secure web applications and securely
implement user authentication, including how to manage passwords.”

*Jonathan Sander, VP of Product Strategy at Lieberman Software
<https://liebsoft.com/>:*

“When you’re thinking of places you need to apply special care to your
online life’s security, the McDonald’s website doesn’t leap immediately to
mind. However, imagine the hapless user who has been exploited on the
McDonald’s site finding they can’t supersize their meal today because their
bank account has been emptied by a bad guy who had it his way with the
person’s bank account since they used that same McDonald’s password on
their bank’s site.

Not all Internet services are created equal. All good sense and advice
tells you to take more care managing your bank’s website password than a
password you use for some fast food joint. You can work out that your
Facebook password is a little less important than your bank, but still more
important than McDonald’s. What this McDonald’s vulnerability reminds us is
that everyone needs to have at least a minimum amount of caution everywhere
online. This serves to reinforce the advice users are given all the time –
never use the same password for multiple sites, especially not low priority
sites. McDonald’s isn’t exactly protecting the world’s most important data
on their customer website. All the same, using very old servers and tools
on the site which have well known security problems seems irresponsible.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170117/1a878641/attachment.html>


More information about the BreachExchange mailing list