If you have ever been to McDonald’s website, you have probably noticed the immediate pop-up asking for you to “subscribe” to their emails. Now if you’re anything like me, you fill it out because it is, more often than not, followed with a coupon. Or maybe you don’t. Regardless, this is a perfect reason why subscribing to everything can leave us exposed.
McDonald’s Security Gap
A security vulnerability was brought to my attention today by PC Matic’s Vice President of Cyber Security, Dodi Glenn. Dodi read about this vulnerability via a blog written by Tijme Gommers. You can read the full blog post here, but I am going to break it down into layman’s terms.
McDonald’s Subscriber? Hacker’s Are Lovin’ It!
It all begins with the subscription process. It seems harmless, because you just provide an email and zip code. However, after doing so they ask for you to fill out a “profile”. This includes your first and last name, month of birth, and a password. To be clear, I am not really sure why they would need any of this information. Unless of course they’re going to send you some amazing deals for your birthday–again focused on the coupons. So you fill it out. That’s it. Harmless, right?
Wrong. The McDonalds website had a vulnerability in it, called Cross Site Scripting (XSS), which allows a hacker to retrieve passwords from people who subscribed to their newsletter. The issue with this is, 9 times out of 10, we reuse our passwords. So “Kayla Smith’s” password that she used for McDonald’s, is likely the same as her social media passwords, banking passwords, Amazon account, etc. So not only has your McDonald’s profile been hacked, including your email address and name — but they also have your password which is likely used on other platforms as well.
I’m guessing you’re not lovin’ it??