McDonald’s Official Website Exposes Passwords in Cleartext

Published on: January 17th, 2017

Security researcher Tijme Gommers has discovered and publicly disclosed an issue in the McDonald’s official website that allows an attacker to gain access to a user’s password in cleartext.

The issue, a cross-site scripting (XSS) bug described in finer detail on his blog, allows an attacker to craft a malicious link, which when clicked by a target, escapes a local sandbox, captures a local cookie, extracts password data from that file, decrypts it and then sends it to the attacker.

According to Gommers, this is possible because McDonald’s stores password information in a cookie file, information which it protects using the same key and initialization vector for all users.

This flaw allows an attacker to create a universal system to decrypt any password for any user if he manages to access the user’s cookie file.

Researcher gave McDonald’s only five business days to fix the bug
Gommers’ discovery caused shock among users and security researchers alike. Users were shocked because McDonald’s was storing passwords in cookie files, while security researchers were shocked and outraged by the way Gommers handled the bug’s responsible disclosure.

On his blog, Gommers said he notified McDonald’s of this issue on December 24, and after not receiving a reply, he disclosed the bug to the public on January 5.

Gommers criticized by fellow researchers
On Reddit’s famous /r/netsec thread, fellow security researchers ripped Gommers for his decision.

“That public disclosure timeline is pretty ridiculous as far as I’m concerned,” said one user. ” The first report was made on Christmas Eve (a Saturday) and the public release was on January 5th. Not only are there two public (US) holidays in that timeline, but a lot of companies give two days off for Christmas as well.”