l + f: access data to the server with chips
At “McDonalds Monopoly” there are annual prizes for collecting and combining stickers on fast food packaging. In Britain, however, the winners of the sticker campaign now taking place there received a few extras they certainly weren’t expecting. The prize notifications that were emailed last weekend contained discount codes and the like as well as information about the UK Monopoly game’s SQL database servers – including plain text passwords. .
Pentest food from the hamburger box
“Never trust a clown to secure your connection strings,” tweeted Troy Hunt, operator of the HaveIBeenPwned password-checking service, referring to the fast-food chain’s mascot. He told Bleeping Computer that he became aware of the incident from a victim. He tried the leaked connection string data.
Thanks to firewall protection, the lucky winner’s access to the server failed in productive use. On the other hand, it managed to connect to the staging database server, a test environment that usually also contains cloned “real” data. For understandable reasons (and to some extent despite the email invitation), however, he refrained from looking around much.
McDonalds UK had been informed of the incident and had in the meantime changed the passwords of both servers, bring back the hunt Further away. Fortunately, unlike before, the same password was not used again for both systems.
In a statement to Bleeping Computer, the company admitted at least the data leak of the intermediate server (but only for this server): the emails in question were sent to a small number of people due to an administrative error. . There was no compromise on sensitive data and those affected were informed.
Source of the article
Disclaimer: This article is generated from the feed and is not edited by our team.