It is possible to steal McDonald's user's password

ByShinichi Sugiyama

It is an open source web application framework written in JavaScriptAngularJSofsandboxBypassing the user's password stealing attackXSSTo the official website of McDonald's engineersTijme GommersHas demonstrated.

Stealing passwords from McDonald's users - Tijme Gommers
https://finnwea.com/blog/stealing-passwords-from-mcdonalds-users

Gommers asserts that "it is possible to steal passwords used by McDonald's users by attaching vulnerabilities of unsecured cryptographic storage and using XSS." By using this method, it seems that it is possible to steal personal information such as name, address, contact information as well as password.

The website of McDonald's in the USAThere is a search page, and this page generates a page reflecting search parameters.

For example, if you type in the search page "*********** - test - reflected - test - ***********" and search it ......


「https://www.mcdonalds.com/us/en-us/search-results.html?q=***********-test-reflected-test-***********」というURLが生成され、ソースコードには「***********-test-reflected-test-***********」という文字列が含まれることがわかります。


Since McDonald's uses AngularJS, it is also possible to search scope IDs using search values. You can see that AngularJS converts "{{$ id}}" to "9" by entering AngularJS tag "{{$ id}}".



Security company'sPortSwiggerIn the blog "It is better not to use the sandbox of AngularJS"DescriptionAs you can see, AngularJS's sandbox is known for having vulnerability. In AngularJS version 1.6 and later, the sandbox is obsolete.

However, when I checked which version of AngularJS the McDonald 's homepage is using, I found that I am using AngularJS version 1.5.3.


And it turned out that the code is executed by inputting the tag.


In addition, it succeeded to load JavaScript file of external site.


Next, when you display the McDonald's sign-in page, you can see that "Remmember my password" is usually displayed in the place where "Remember me" is displayed.


Gommers who came to this word "password". I surveyed the word "password" in all JavaScript and found an interesting code.


I found the value "penc" that was saved in cookie from here. I found an encrypted password in this.


Furthermore, on the McDonald's website it was also found that all users' passwords were encrypted using the same encryption key. What is used for encryption was an encryption script called CryptoJS.


Gommers reads McDonald 's homepage in iframe and succeeds in stealing cookies by camouflaging the site. I have also succeeded in displaying the password before encryption I created, from the encrypted password in the cookie.


In addition, Gommers seems to report this problem to McDonald multiple times, but he writes on his blog "There is no reply".