This article was published on January 16, 2017

McDonald’s is better at flipping burgers than protecting passwords


McDonald’s is better at flipping burgers than protecting passwords

You can trust McDonald’s to serve you its less than nourishing Big Macs, but you certainly shouldn’t trust its website with your password.

Dutch independent software engineer Tijme Gommers has uncovered a still-active vulnerability in the main website of the iconic fast food franchise McDonalds.com that essentially makes it possible for attackers to retrieve sensitive user information.

As Gommers explains on his blog, the flaw lies in sloppy input sanitation (a standard protective measure) present in the website, which could in turn be leveraged to snatch login credentials as well as other sensitive information.

Here’s how the Dutch software engineer summed it up:

By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address [and] contact details can be stolen too.

The problem is that instead of saving a token of the user’s password, McDonald’s website essentially stores passwords directly in cookies, which makes it easy for attackers to recover such details.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The vulnerability affects only people who’ve previously signed up for restaurant accounts, which could entitle loyal customers to meal coupons and discounts.

In case you have such account, we strongly advise you change your password (as well as the login credentials in other websites where you’ve used the same password) and refrain from using the McDonalds.com’s ‘remember me’ function to prevent the website from storing your password in cookies.

The clown-branded fast food restaurant is hardly the only big franchise that has struggled to keep its users secure. KFC recently sent out an email, warning over 1.2 million members of its loyalty program that its website has been compromised.

Gommers made attempts to report the faulty security measure to McDonald’s, but ultimately opted to disclose it on his blog after the franchise never responded to his inquiries.

Head to Gommers’s blog to read the full post for more details.

Get the TNW newsletter

Get the most important tech news in your inbox each week.