If you’re a user of the McDonald’s website, it would appear that this site is not as secure as it perhaps should be. Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and substandard password controls on the site. Those could lead to lead to phishing attacks on top of you getting info on the new toy that comes with your next Happy Meal. The attack is possible because of an outdated version of AngularJS as well as an outdated version of JBoss that leaves holes open that any hacker can stroll through. On top of that, the company didn’t encrypt user passwords. Instead, they were left in plain text making them easy to intercept.
#Fail
He posted his results in blog post after trying to get the fast food company’s attention and failing to do so. Though, he tried to do so over the holidays so one has to wonder if that was the reason why he didn’t get their attention. Either that or Ronald McDonald was busy with other matters. In any case, it will be interesting to see if how and when the company fixes this.
Like this:
Like Loading...
Related
This entry was posted on January 16, 2017 at 8:12 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
McDonald’s Website Offers Burgers, Fries, and Pwnage
If you’re a user of the McDonald’s website, it would appear that this site is not as secure as it perhaps should be. Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and substandard password controls on the site. Those could lead to lead to phishing attacks on top of you getting info on the new toy that comes with your next Happy Meal. The attack is possible because of an outdated version of AngularJS as well as an outdated version of JBoss that leaves holes open that any hacker can stroll through. On top of that, the company didn’t encrypt user passwords. Instead, they were left in plain text making them easy to intercept.
#Fail
He posted his results in blog post after trying to get the fast food company’s attention and failing to do so. Though, he tried to do so over the holidays so one has to wonder if that was the reason why he didn’t get their attention. Either that or Ronald McDonald was busy with other matters. In any case, it will be interesting to see if how and when the company fixes this.
Share this:
Like this:
Related
This entry was posted on January 16, 2017 at 8:12 am and is filed under Commentary with tags Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.