McDonald’s is better at flipping burgers than protecting passwords

mcdonalds, mcdonald's, password

You can trust McDonald’s to serve you its less than nourishing Big Macs, but you certainly shouldn’t trust its website with your password.

Dutch independent software engineer Tijme Gommers has uncovered a still-active vulnerability in the main website of the iconic fast food franchise that essentially makes it possible for attackers to retrieve sensitive user information.

As Gommers explains on his blog, the flaw lies in sloppy input sanitation (a standard protective measure) present in the website, which could in turn be leveraged to snatch login credentials as well as other sensitive information.

Here’s how the Dutch software engineer summed it up:

By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address [and] contact details can be stolen too.

The problem is that instead of saving a token of the user’s password, McDonald’s website essentially stores passwords directly in cookies, which makes it easy for attackers to recover such details.

The vulnerability affects only people who’ve previously signed up for restaurant accounts, which could entitle loyal customers to meal coupons and discounts.

In case you have such account, we strongly advise you change your password (as well as the login credentials in other websites where you’ve used the same password) and refrain from using the’s ‘remember me’ function to prevent the website from storing your password in cookies.

The clown-branded fast food restaurant is hardly the only big franchise that has struggled to keep its users secure. KFC recently sent out an email, warning over 1.2 million members of its loyalty program that its website has been compromised.

Gommers made attempts to report the faulty security measure to McDonald’s, but ultimately opted to disclose it on his blog after the franchise never responded to his inquiries.

Head to Gommers’s blog to read the full post for more details.

Read next: How Blacklane went from one city to over 250 around the world