back to article McDonald's forget hash, browns off security experts

Dutch software engineer Tijme Gommers has revealed a still-active reflected cross-site scripting vulnerability and borked password controls in McDonald's main website that could be fodder for phishing attacks. The attack, reported on Gommers' blog, is possible thanks to an Angular expression injection vuln present in mcdonalds …

  1. redpawn Silver badge

    No Problem

    It's not like people reuse their user names, passwords or credit cards.

  2. Adam 1 Silver badge

    > McDonald's main website that could be fodder for phishing attacks

    But those URLs are coming from the wrong McAddress.

    /Sorry. I'll grab my McCoat now.

  3. Anonymous Coward
    Anonymous Coward

    Timelines

    The timelines are key, I've been on the receiving end of disclosers in a large organisation and getting a release out of the door can be problematic.

    This should be seen from both perspectives. Giving the equivalent of 4/5 working days before disclosing is just harsh.

  4. Your alien overlord - fear me

    Yay, tell them on Christmas Eve and expect a fix. Just because he doesn't have any family or friends, doesn't mean all security bods don't spend Christmas alone/working.

    1. Dan 55 Silver badge

      And the chances of getting any change tested, signed off, and sent to production in Christmas week are null.

  5. Francis Boyle Silver badge

    They wanted to hash the passwords really

    but they knew they should salt them first and they couldn't figure out how to get those little paper packets to the users.

    1. MrT

      Re: They wanted to hash the passwords really

      Collect one sticker from each hack and by the time you have six you can get a seventh hack for free...

    2. Anonymous Coward
      Anonymous Coward

      Re: They wanted to hash the passwords really

      Nah, the real reason is that they read that hashes should be salted, and decided to ignore it because they figured they knew it already because they always dump loads of salt into all their food anyway.

      1. John Brown (no body) Silver badge

        Re: They wanted to hash the passwords really

        ...and isn't there a current EU healthy eating campaign to get food suppliers to reduce the salt content? They're even reducing the warning on cookies. Probably as part of the sugar reduction campaign,

  6. Anonymous Coward
    Anonymous Coward

    I'm not lovin' it

    I'd start with wondering with why anyone would leave their details on a McD website to start with, but (a) RESPONSIBLE disclosure means you give a sensible amount of WORKING days to address the issue before you go public (in this context I've always had a bit of problem with a fixed deadline time because issues differ, but a month is sensible as the bad guys will find this too) and (b) McD's responsibility should not be overlooked - if you take details you have to protect them and it's not like this is rocket science. By now there's enough sample code and help out there to do it right.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm not lovin' it

      I'd start with wondering with why anyone would leave their details on a McD website to start with

      You could ask the same question about visiting the restaurants, but enough people do so that you're just going to have to accept that it's something people want to do, even if you don't get it.

      but (a) RESPONSIBLE disclosure means you give a sensible amount of WORKING days to address the issue

      And increase it if your disclosure is close to Christmas, because honestly even if you take the public holidays into account there's at least four additional working days where productivity is likely to be next to zero.

      and (b) McD's responsibility should not be overlooked - if you take details you have to protect them

      Yes, agreed. Even from the description above, it's fairly easy to tell that this isn't going to be something they can just patch up in a few minutes; it sounds like they've been complacent for quite a long time and they're way behind the curve. It's going to take quite a bit of effort for them to update their system to make it secure.

      That rubs both ways: We should definitely be criticising them for letting it get to that point. But now that it's out in the open also we should give them the space to do the work to fix it.

  7. David Austin

    Title

    I Hope you gave the headline writer the rest of the day off; they clearly peaked early, today.

  8. ukgnome

    They have a website?

    Honestly I have never needed to visit it, can't think why....oh hang on, is it because the food is second rate.

    1. richardcox13
      Coat

      > the food is second rate

      They have food? That's an improvement over my last, long ago, visit.

      Of course others may define "food" more broadly than I do.

  9. TRT Silver badge

    I've never...

    liked McDonald's cookies.

  10. chivo243 Silver badge
    Coat

    salt and hash

    Why am I salivating now? Must want some potatoes of some sort?

  11. Ken Moorhouse Silver badge

    Egg McMuffin...

    ...on face

    1. Oengus Silver badge

      Re: Egg McMuffin...

      ...on Mcface

      FTFY

  12. Anonymous Coward
    Anonymous Coward

    What

    A load of bollocks, bullshit and fluff.

    Now that I've critiqued the contents of the burgers lets talk security.

  13. John Geek

    that picture on the front page teaser of this story in no way resembles anything ever served by any mcdonald's I've ever had the displeasure of visiting.

  14. Winkypop Silver badge
    Trollface

    Fillet of Mcphish?

    Is the site managed by Hamburglar?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019