A security researcher has discovered two vulnerabilities that allow an attacker to steal users’ passwords from McDonald’s official website.
Researcher Tijme Gommers was recently poking around the fast food company’s website when he discovered something interesting: a search page on McDonalds.com reflects the value of the search parameter in the webpage’s code.
After discovering that the website uses AngularJS, a JavaScript framework that can be added on to HTML pages for the purpose of creating dynamic web apps, Gommers decided he wanted to see if he could get the website to print the unique ID of the AngularJS scope in a browser alert using the search value.
AngularJS code executes in a sandbox, so the researcher used the sandbox escape {{x = {'y':''.constructor.prototype}; x['y'].charAt=[].join;$eval('x=alert(1)');}}
as the search value. By entering that snippet of code into McDonald’s search field, he was able to print out the scope ID in a browser alert.
That’s not the only interesting thing Gommers discovered with McDonald’s website, however. The researcher elaborates on this point in a blog post:
“Another thing I noticed on McDonalds.com was their sign in page which contained a very special checkbox. Normally you can check ‘Remember me’ when signing in, but the McDonald’s sign in page gives us the option to remember the password.”
After digging a little deeper, the researcher found some code that decrypted a user’s password client side. He also observed that McDonald’s uses CryptoJS to encrypt and decrypt sensitive data, which means he only needed to steal a user’s unique cookie to obtain their password and print it in a browser alert.
He succeeded in this effort by writing some JavaScript that loads the homepage in an iFrame. That iFrame, in turn, steals the cookie after loading, executes a sandbox escape, and prints the password in a browser alert.
To his credit, the security researcher attempted to notify McDonald’s of the vulnerability. But he did so on 24 December – right at the start of the holiday season.
It gets worse. Typically, responsible disclosure dictates that a researcher gives a company at least 30 days to respond to a vulnerability before they go public with it. Gommers waited less than two weeks to go public with details of the flaws he had discovered.
Not surprisingly, people on Reddit weren’t happy with how Gommers handled the situation. As one commenter said:
“That public disclosure timeline is pretty ridiculous as far as I’m concerned. The first report was made on Christmas Eve (a Saturday) and the public release was on January 5th. Not only are there two public (US) holidays in that timeline, but a lot of companies give two days off for Christmas as well. So McDonalds was basically given 5 business days to respond during the holidays. Half of the senior staff at my company took the week off, and I wouldn’t be surprised if the same was true at McDonald’s.”
Hopefully, Gommers will heed this criticism and practice responsible disclosure in the future. We can also only hope that McDonald’s quickly patches the vulnerabilities discovered by Gommers. They’ve now been public for more than a week, which means attackers can abuse them as long as the flaws remain active.
I suppose he's just following Google's example…