Fast food giant McDonald's is running an insecure website that could enable users' passwords to be compromised, it has been reported.
The vulnerability was uncovered by Dutch security expert Tijme Gommers, who despite informing McDonald's also decided against waiting the customary 30 days before telling everyone else as the company didn't condescend to reply to his security reports.
The problem, claims Gommers, isn't just the frowned-upon practice of storing the user password on the client, but also the outdated version of Angular JS that McDonald's runs on its website.
"By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald's user," he wrote in a blog uncovering the security shortcoming.
Because the same key is used to decrypt the password of every user, it's not beyond the bounds of possibility that an attacker can use a phishing attack to compromise McDonalds' website passwords. It's also not beyond the bounds of possibility that the kind of person who has a McDonald's website login also uses the same email address/password combination with scores of other websites.
The AngularJS security shortcomings, meanwhile, concerns the environment's code-execution sandbox, which was removed in move recent versions.
"All AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn't really safe. In fact, it shouldn't be trusted at all. It even got removed in version 1.6 because it gave a false sense of security," added Gommers.
This has been known for more than a year and is well-covered here.
And AngularJS isn't the only outdated software that McDonald's is running: it's also running a near-seven-year-old version of Jboss.
Some parts of Atacama have not received rainfall for 500 years - but a sudden deluge of water upset the Desert's delicate biological balance
Spitzer Space Telescope could not spot Oumuamua, suggesting that it is actually pretty small
Greenland crater one of the 25 largest impact craters on Earth
This long-sought progenitor star was identified in an image captured by Hubble in 2007