McDonald's fans, beware: the Hamburglar's next target could be your password.
Registered users of McDonald's website may be susceptible to credential theft due to the combination of a cross-site scripting (XSS) vulnerability and a cryptographic storage vulnerability, a researcher has found.
By abusing these two flaws, “It is possible to steal and decrypt the password from a McDonald's user,” wrote Netherlands researcher Tijme Gommers earlier this month in a blog post on his website. “Besides that, other personal details like the user's name, address and contact details can be stolen too.”
Although his post was originally published in early January, Gommers' findings began prominently circulating around the Internet in the just the last few days, especially after some members of the infosec community accused the researcher of not following responsible disclosure practices. In a statement, McDonald's claims to have taken steps to address the issue, but does not specify its exact actions or indicate if the bugs were fully repaired.
In his technical analysis, Gommers explained that the McDonald's website sign-in page gives visitors the option of allowing the website to remember their passwords so they don't have to log in during future visits. However, these passwords are stored in cookies and subsequently decrypted all on the client side – an insecure practice that allows crafty attackers to uncover the credentials in cleartext.
“This is the first (big) site that I know of that stored passwords client-side,” said Gommers in an interview with SC Media via Twitter. “The normal way to go here is storing a ‘remember me' cookie,” a more secure method that relies on a series identifier and a hashed token – both comprised of random numbers – to authenticate returning users.
According to Gommers, potential attackers can steal these passwords by taking advantage of a sandbox escape flaw found in AngularJS, McDonalds.com's open-source front-end web application framework. The sandbox escape essentially allows attackers to then use the XSS vulnerability that Gommers identified to steal users' cookies and run a decryption function to decipher them.
“Reflected XSS is one of the most common vulnerability introduced by developers in web-facing applications. Enterprises are struggling with securing production applications at scale due to more frequent releases and the rise of agile and DevOps practices, said Julien Bellanger, co-founder and CEO of application and data protection firm Prevoty, in comments emailed to SC Media. “I would expect to see more of these critical disclosures in the future.”
McDonald's provided the following statement to SC Media: “We recently became aware of a potential matter related to our McDonalds.com website and took immediate steps to address it. We investigated the issue and found that no customer-provided contact information was impacted. It's important to note, our McDonalds.com website does not collect any credit card or customer financial information. At McDonald's, we are committed to providing a safe and enjoyable experience for our customers who engage with us online and that includes continuing to use security measures to protect our website and any customer data.” SC Media has asked McDonald's to clarify if addressing the matter includes fixing the identified vulnerabilities.
According to his own vulnerability disclosure timeline, Gommers first attempted to privately contact McDonald's on Christmas Eve, before publicly publishing his findings on Jan. 6. In revealing his findings, Gommers apparently ran afoul of some security industry members who believe he did not provide McDonald's with adequate time to respond to his private communications – especially in light of the holiday season, when many corporate employees are on vacation.
Justin Calmus, VP of hacker success at bug disclosure company HackerOne, agreed with this criticism. “When it comes to disclosure timelines, 90 days to 180 days is standard, due to the complexity of vulnerabilities and other factors that can impact resolution timelines,” said Calmus in an email interview with SC Media. “When done right, vulnerability disclosure should be safer and rewarding for all parties involved. For a company of McDonald's size, this was not an appropriate amount of time.”
But Casey Ellis, CEO and founder of vulnerability disclosure company Bugcrowd, was among those who shifted blame to McDonald's for failing to have a proactive and straightforward vulnerability disclosure policy. “If they had one in place, the expectations on both sides would have been a lot clearer and the kinds of ambiguity we're talking about now would have been avoided,” said Ellis in an email interview with SC Media. "We're at a tipping point, where disclosure policies are becoming the norm. Companies can no longer afford the risk of full public disclosure, especially when it often comes down to a simple miscommunication," Ellis continued.
For his part, Calmus agreed that all organizations should have clearly defined public disclosure policies available on their web sites.
In his blog post, Gommers said that he tried to contact McDonald's “multiple times to report the issue, but unfortunately they didn't respond, which is why I decided to disclose the vulnerability.” Later, in his interview with SC Media, Gommers acknowledged that the disclosure was “quick indeed” and that “people had very different opinions on the disclosure,” but added that he was “not going to get… involved in those discussions.”
Ironically, Gommers' website has its own vulnerability disclosure policy, which requests that researchers who find flaws with his site not go public with them until they are resolved. Gommers told SC Media that he added this policy on Jan. 10 – four days after his McDonald's disclosure – after a fellow researcher found a bug on his site. “I can imagine people got angry when reading the RD policy on my site after they read the McDonald's article. I think everyone should have RD guidelines that fit... them,” said Gommers, noting that he will likely “refine” his policy language, which was taken from a default policy that he got from the Internet.
In other news regarding online credentials, Keeper Security last week published blog post naming 2016's most commonly used passwords. According to the report, out of 10 million passwords that were exposed by data breaches in 2016, 17 percent used the numerical combination 123456. Indeed, most of the top 25 common passwords consisted of a predictable combination of letters and numbers. The second through fifth most popular passwords were, respectively, 123456789, qwerty, 12345678, and 111111.