Researcher Gives McDonalds Five Days to Rectify Flaw
Posted by: Timothy Weaver on 01/18/2017 09:01 AM
[
Comments
]
Security researcher Tijme Gommers has discovered a flaw in McDonalds official website that would allow a hacker to steal login credentials.
What he discovered was a cross-site scripting (XSS) flaw that allows a hacker to create a malicious link, which when clicked on, escapes a local sandbox, captures a local cookie, extracts password data from that file, decrypts it and then sends it to the attacker.
The flaw was discovered on December 24 by Gommers and he contacted McDonalds with the info and said he would give them 5 business days to rectify the flaw before he made it public. McDonalds did not respond to his discovery, so Gommers published the flaw on January 5th.
Other researchers have slammed Gommers for giving the company such a short time frame.
"That public disclosure timeline is pretty ridiculous as far as I'm concerned," said one user. " The first report was made on Christmas Eve (a Saturday) and the public release was on January 5th. Not only are there two public (US) holidays in that timeline, but a lot of companies give two days off for Christmas as well."
Most researchers will give a company 3 months to rectify a flaw before announcing the issue.
Source: Bleeping Computer
What he discovered was a cross-site scripting (XSS) flaw that allows a hacker to create a malicious link, which when clicked on, escapes a local sandbox, captures a local cookie, extracts password data from that file, decrypts it and then sends it to the attacker.The flaw was discovered on December 24 by Gommers and he contacted McDonalds with the info and said he would give them 5 business days to rectify the flaw before he made it public. McDonalds did not respond to his discovery, so Gommers published the flaw on January 5th.
Other researchers have slammed Gommers for giving the company such a short time frame.
"That public disclosure timeline is pretty ridiculous as far as I'm concerned," said one user. " The first report was made on Christmas Eve (a Saturday) and the public release was on January 5th. Not only are there two public (US) holidays in that timeline, but a lot of companies give two days off for Christmas as well."
Most researchers will give a company 3 months to rectify a flaw before announcing the issue.
Source: Bleeping Computer
Comments
