Researcher Discovers Way to Pilfer McDonald's Users' Passwords

Food and Beverage

A security researcher found a couple of vulnerabilities that allow an attacker to crib users' passwords from a fast-food giant's website.

In a Jan. 6 blog post, Researcher Tijme Gommers wrote that "By abusing an insecure cryptographic storage vulnerability ... and a reflected server cross-site-scripting vulnerability ... it is possible to steal and decrypt the password from a McDonald's user."

Gommers said he tried to notify the fast-food giant "multiple times" on Dec. 24 and right before the holidays. After not hearing back, he decided to disclose the flaw—something that irked others in the security community.  

"Typically, responsible disclosure dictates that a researcher gives a company at least 30 days to respond to a vulnerability before they go public with it," said David Bisson, writing on GrahamCluley.com, which first reported on Gommers' discovery. "Gommers waited less than two weeks to go public with details of the flaws he had discovered."