AuthentificationCyberCrimeSecurity

Hackers Lovin’ It As McDonald’s Site Vulnerable To Phishing Attack

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Shoddy password practices leave the door open for hackers to take away customer details

McDonalds’ main website is putting customer data including names, addresses, contact details and passwords at risk as a flaw is leaving it vulnerable to phishing attacks, according to Dutch software engineer Tijme Gommers.

A reflected server cross-site-scripting vulnerability means it is possible for hackers to steal and decrypt the passwords and personal information of users who sign up for the McDonald’s newsletter.

Gommers says he tried to contact McDonald’s several times, but decided to ignore the customary 30-day grace period and disclose the vulnerability after failing to receive a reply from the company.

passwords

Website flaw

The main issue is that McDonald’s encrypts and stores passwords on the client side, rather than the generally-accepted practice of password hashing. Gommers was able to run a Javascript exploit which got hold of the “penc” value in the form of a cookie which is stored for a year and decrypt the password.

And, because the same key is used for every user, this penc value enables him to decrypt the password of every user. “If there’s one thing you shouldn’t do, it’s decrypting passwords client side (or even storing passwords using two-way encryption).”

Javvad Malik, security advocate at AlienVault said “There’s no need to ever encrypt passwords. The thing with encryption is that it is designed to be two-way. So if you can encrypt something, it is possible to decrypt it. Which is why a one-way hash (with salt) is commonly used to protect passwords.

“A hash is one way (like a fingerprint) just like a finger can always create the same fingerprint, but the fingerprint can’t create the finger. Use of any out-dated or vulnerable software is always a risky prospect, particularly on public-facing websites.

“These are not obscure vulnerabilities or zero days. There are well-established standards on how to secure web applications and securely implement user authentication, including how to manage passwords.”

Jonathan Sander, VP of Product Strategy at Lieberman Software warned that, while the McDonald’s website is by no means a priority when it comes to protecting your online security, password reuse means hackers might be able to access more sensitive parts of your online identity.

“What this McDonald’s vulnerability reminds us is that everyone needs to have at least a minimum amount of caution everywhere online,” he said. “This serves to reinforce the advice users are given all the time – never use the same password for multiple sites, especially not low priority sites.

“McDonald’s isn’t exactly protecting the world’s most important data on their customer website. All the same, using very old servers and tools on the site which have well known security problems seems irresponsible.”

Are you a cyber security pro? Take our quiz and find out!