McDonalds' website security flaws puts user passwords at risk

Out-of-date AngularJS software to blame

Restaurant chain McDonalds is running an insecure website that could enable users' passwords to be compromised.

The vulnerability was uncovered by Dutch security expert Tijme Gommers, who informed McDonalds, but decided against waiting the customary 30 days before telling everyone else as the company didn't condescend to reply to his security reports.

The problem, claims Gommers, isn't just the frowned-upon practice of storing the user password on the client, but also the outdated version of Angular JS that McDonalds runs on its website.

"By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald's user," he wrote in a blog uncovering the security shortcoming.

Rather than hash user passwords like all the cool kidz do, McDonald's instead encrypts passwords on the client - a somewhat frowned-upon security practice, to say the least. "If there's one thing you shouldn't do, it's decrypting passwords client side (or even storing passwords using two-way encryption)," writes Gommers, who wrote a simple Javascript exploit that can decrypt McDonalds's website passwords.

Because the same key is used to decrypt the password of every user, it's not beyond the bounds of possibility that an attacker can use a phishing attack to compromise McDonalds' website passwords. It's also not beyond the bounds of possibility that the kind of person who has a McDonalds website login also uses the same email address/password combination with scores of other websites.

The AngularJS security shortcomings, meanwhile, concerns the environment's code-execution sandbox, which was removed in move recent versions.

"All AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn't really safe. In fact, it shouldn't be trusted at all. It even got removed in version 1.6 because it gave a false sense of security," added Gommers.

This has been known for more than a year and is well-covered here.

And AngularJS isn't the only outdated software that McDonalds is running: it's also running a near-seven-year-old version of Jboss.