Sharing Top Content from the Angular-sphere.

Stealing passwords from McDonald’s users

Stealing passwords from McDonald's users through an AngularJS sandbox escape.

  • We can now use the following sandbox escape, which results in my password in an alert box!
  • I tried decrypting my password on the search page using a malicious search payload, but it didn’t work.
  • We can use the sandbox escape as search value, which results in an alert.
  • We can even load external JavaScript files using the following sandbox escape, which results in the alert below.
  • I searched through all the JavaScript for the keyword password and I found some interesting code that decrypts the password.

By abusing an insecure cryptographic storage vulnerability and a reflected server cross-site-scripting vulnerability it is possible to steal and decrypt the password from a McDonald’s user.

@finnwea: Stealing passwords from McDonald’s users through an AngularJS sandbox escape.

By abusing an insecure cryptographic storage vulnerability (link) and a reflected server cross-site-scripting vulnerability (link) it is possible to steal and decrypt the password from a McDonald’s user. Besides that, other personal details like the user’s name, address & contact details can be stolen too.

q

) in the source of the page. So when we search on

it will look like this:

Link used:

McDonald’s uses AngularJS so we can try to print the unique scope ID using the search value. We can do this by changing the

q

. As we can see

the unique ID (monotonically increasing) of the AngularJS scope.

Link used:

as value wouldn’t work because all AngularJS code is executed in a sandbox. However, the AngularJS sandbox isn’t really safe. In fact, it shouldn’t be trusted at all. It even got removed in version 1.6 (source) because it gave a false sense of security. PortSwigger created a nice blog post about escaping the AngularJS sandbox (link).

in the console.

The version is 1.5.3, so the sandbox escape we need is

. We can use this sandbox escape as search value, which results in an alert.

We can even load external JavaScript files using the following sandbox escape, which results in the alert below.

header.

Another thing I noticed on McDonalds.com was their sign in page which contained a very special checkbox. Normally you can check “Remember me” when signing in, but the McDonald’s sign in page gives us the option to remember the password.

and I found some interesting code that decrypts the password.

If there’s one thing you shouldn’t do, it’s decrypting passwords client side (or even storing passwords using two-way encryption).

I tried to run the code myself, and it worked!

value is a cookie that is stored for a year. LOL!

McDonald’s uses CryptoJS to encrypt and decrypt sensitive data. They use the same

key

and

iv

for every user, which means I only have to steal the

cookie to decrypt someone’s password.

I tried decrypting my password on the search page using a malicious search payload, but it didn’t work. Somehow, the cookies contain hidden characters on the search page causing the

method to fail. The

returns a strange string when executed on the search page.

I wrote some JavaScript that loads the homepage in an iframe and steals the cookie from that iframe.

We can now use the following sandbox escape, which results in my password in an alert box!

Ouch! That was all pretty easy. I tried to contact McDonald’s multiple times to report the issue, but unfortunately they didn’t respond. Below you can find the timeline.

Stealing passwords from McDonald’s users

Comments are closed, but trackbacks and pingbacks are open.