Stealing passwords from McDonald’s users

Stealing passwords from McDonald's users through an AngularJS sandbox escape.

  • By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user.
  • So when we search on for example , the response will look like this:

    McDonald’s uses AngularJS so we can try to print the unique scope ID using the search value.

  • We can use this sandbox escape as search value, which results in an alert.
  • Normally you can check “Remember me” when signing in, but the McDonald’s sign in page gives us the option to remember the password.
  • We can now use the following sandbox escape, which results in my password in an alert box!

By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald’s user.

@finnwea: Stealing passwords from McDonald’s users through an AngularJS sandbox escape.

By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address & contact details can be stolen too.

, the response will look like this:

the unique ID (monotonically increasing) of the AngularJS scope.

as value wouldn’t work because all AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn’t really safe. In fact, it shouldn’t be trusted at all. It even got removed in version 1.6 (source) because it gave a false sense of security. PortSwigger created a nice blog post about escaping the AngularJS sandbox (link).

in the console.

. We can use this sandbox escape as search value, which results in an alert.

We can even load external JavaScript files using the following sandbox escape, which results in the alert below.

header.

Stealing the user’s password

Another thing I noticed on McDonalds.com was their sign in page which contained a very special checkbox. Normally you can check “Remember me” when signing in, but the McDonald’s sign in page gives us the option to remember the password.

and I found some interesting code that decrypts the password.

If there’s one thing you shouldn’t do, it’s decrypting passwords client side (or even storing passwords using two-way encryption). I tried to run the code myself, and it worked!

value is a cookie that is stored for a year. LOL!

cookie to decrypt someone’s password.

if executed on the search page.

, so that the payload is only executed once.

We can now use the following sandbox escape, which results in my password in an alert box!

That was all pretty easy. I tried to contact McDonald’s multiple times to report the issue, but unfortunately they didn’t respond, which is why I decided to disclose the vulnerability.

Stealing passwords from McDonald’s users

You might also like More from author

Comments are closed, but trackbacks and pingbacks are open.