Fast food giant McDonald's is running an insecure website that could enable users' passwords to be compromised, it has been reported.
The vulnerability was uncovered by Dutch security expert Tijme Gommers, who despite informing McDonald's also decided against waiting the customary 30 days before telling everyone else as the company didn't condescend to reply to his security reports.
The problem, claims Gommers, isn't just the frowned-upon practice of storing the user password on the client, but also the outdated version of Angular JS that McDonald's runs on its website.
"By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald's user," he wrote in a blog uncovering the security shortcoming.
Because the same key is used to decrypt the password of every user, it's not beyond the bounds of possibility that an attacker can use a phishing attack to compromise McDonalds' website passwords. It's also not beyond the bounds of possibility that the kind of person who has a McDonald's website login also uses the same email address/password combination with scores of other websites.
The AngularJS security shortcomings, meanwhile, concerns the environment's code-execution sandbox, which was removed in move recent versions.
"All AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn't really safe. In fact, it shouldn't be trusted at all. It even got removed in version 1.6 because it gave a false sense of security," added Gommers.
This has been known for more than a year and is well-covered here.
And AngularJS isn't the only outdated software that McDonald's is running: it's also running a near-seven-year-old version of Jboss.
Just spent a year working on them? Too bad, Intel's lost interest
Sony factory in Wales now making 100,000 Raspberry Pis every week
38-year-old Alexander Vinnik faces up to 55 years in jail
Threadripper also available from today if you want a lot more power - but you'll have to wait for the motherboards to appear