The first was that 123456 was the credentials for the admin panel.
The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.
It's funny how mcdonalds did everything in their power to make it almost impossible to run their mcdonalds app on a rooted phone, but their backend infrastructure is beyond broken (security wise)
My favourite part form the original report was that paradox had no way to find their security team ( to contact) and their security page just had "We worry about security, so you don't have to."
> Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.
Shouldn't need to worry indeed. McDonald's evidently doesn't either.
Can someone tell them to put "Set a password a five-year-old child can't guess" onto their deployment checklist?
15 comments
[ 2.9 ms ] story [ 33.8 ms ] threadThe first was that 123456 was the credentials for the admin panel.
The second was an insecure direct object reference, where the lead_id querystring parameter can be changed on an API call to retrieve another applicant's data.
$ Downloading 64M transcripts...
Are they counting everybody since 1954?
'Move fast and break things' indeed.
https://web.archive.org/web/20250208000940/https://www.parad...
> Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.
Shouldn't need to worry indeed. McDonald's evidently doesn't either.
Can someone tell them to put "Set a password a five-year-old child can't guess" onto their deployment checklist?