recommended reading

Threatwatch

Researcher Discovers Way to Pilfer McDonald's Users' Passwords

Password cracking

A security researcher found a couple of vulnerabilities that allow an attacker to crib users' passwords from a fast-food giant's website.

In a Jan. 6 blog post, Researcher Tijme Gommers wrote that "By abusing an insecure cryptographic storage vulnerability ... and a reflected server cross-site-scripting vulnerability ... it is possible to steal and decrypt the password from a McDonald's user."

Gommers said he tried to notify the fast-food giant "multiple times" on Dec. 24 and right before the holidays. After not hearing back, he decided to disclose the flaw—something that irked others in the security community.  

"Typically, responsible disclosure dictates that a researcher gives a company at least 30 days to respond to a vulnerability before they go public with it," said David Bisson, writing on GrahamCluley.com, which first reported on Gommers' discovery. "Gommers waited less than two weeks to go public with details of the flaws he had discovered."

sector

Food and Beverage

reported

January 18, 2017

reported by

Graham Cluley

number affected

Unknown

location of breach

Unknown

perpetrators

Individual

location of perpetrators

Unknown

date breach occurred

Unknown

date breach detected

2016/12/24