Latest Cybersecurity News

ISA is committed to keeping the security community up to date with the latest cybersecurity news. 

Customer builds website to track which McDonald’s ice cream machines are broken

With just a few weekends and 2000 lines of computer code, self-taught programmer Rashiq Zahid from Berlin, Germany has created a website that plots the status of the ice cream machines at about 10,000 McDonald’s restaurant locations across the United States.

Zahid reverse engineered the McDonald’s Android ordering app in order to determine how to use the application programming interface (API) to “talk” to each of the restaurants. Then, with a website running Python and JavaScript, he generates dummy transactions against each restaurant, and gathers the responses regarding the availability of ice cream. The feedback is then shown on an interactive U.S. map on the mcbroken.com site.

Zahid is quick to point out that his site isn’t creating any financial hardship or disruption at the restaurants. His system works by placing tentative orders of $18,752 every minute in order to get the status from each location. No actual orders are ever placed.

McDonald’s does not appear upset by the unanticipated use of the API. “Only a true @McDonalds fan would go to these lengths to help customers get our delicious ice cream! So, thanks! We know we have some opportunities to consistently satisfy even more customers with sweet treats and we will,” tweeted David Tovar, Vice President of U.S. Communications and Government Relations for McDonald’s, in reference to the website. In a statement to CNN, a spokesperson added that “it is exciting to see customer passion translate into customer-innovated solutions to further make that experience a reality.”

The site is currently only available for the 50 American states, but Zahid’s Twitter followers have been encouraging him to follow up with a European version.

The story has a few implications from a cybersecurity perspective. While the use of the API has not, to date, created any issues for the restaurants, it does illustrate how outsiders may choose to leverage – or potentially attack – open interfaces you provide to your systems. When developing web integrations, it is essential to evaluate the sources and acceptable frequency of access to those integrations in order to prevent unauthorized use and potential DDOS attack.

High-severity zero-day vulnerability reported in Google Chrome

On October 21, Google released Chrome version 86.0.4240.111 to patch several high-severity security issues, including a zero-day vulnerability that allows attackers to hijack targeted computers through the browser.

Coded as vulnerability CVE-2020-15999, this software flaw allows hackers to create a “heap buffer overflow” in the handling of embedded PNG file bitmaps, which creates memory corruption in “Freetype“, an open source software development library for rendering fonts that comes packaged with Chrome. The flaw can be exploited on Windows, Mac, or Linux computers.

The FreeType open source code has also been patched: an emergency fix was released on October 20 in FreeType version 2.10.4. Developers using this code are urged to review and assess the fix, and incorporate the patched version into their systems as soon as possible.

In addition to the FreeType zero-day vulnerability, Google patched four other flaws in the latest Chrome update, three of which are rated as high-risk vulnerabilities as well.

By default, the Chrome browser automatically upgrades itself, or notifies users about the availability of new versions. However, if you have been using Chrome in a managed environment or you have adjusted default settings, you may not have received the latest patch. You can check your version in Chrome by clicking the Customize and Control Chrome button (the icon with the three vertical dots at top right of your screen), then selecting Help and About Google Chrome. Confirm that you are running version 86.0.4240.111, or patch your browser immediately.

Forum for online game Albion Online suffers data breach

The user forum for the medieval fantasy game “Albion Online” has been breached. On October 17, German-based game studio Sandbox Interactive GmbH disclosed that a breach had occurred just the day before. Albion Online is a free medieval fantasy MMORPG (that is, a “massively multi-player online role-playing game”) with an estimated 2.5 million players. At the time of the attack, the forum had 293,602 registered members.

By chance, this breach came on the same day that ISA posted an article about cybersecurity in the gaming industry. While this breach has had no direct financial consequences, it is an illustration that cyber criminals are targeting this sector, and game studios of all sizes need to place cybersecurity front and center in their priorities.

According to the post – issued in eight languages on the user forum – Sandbox advised, “Unfortunately, we have become aware of a data breach in one of our systems, in which a malicious actor gained access to parts of our forum’s user database… The intruder was able to access forum user profiles, which include the e-mail addresses connected to those forum accounts.”

The studio assured users that a) no payment information was – or ever could be – accessed in the forum breach; b) the encrypted passwords could not be decrypted; and c) the encrypted passwords could not be used to log in to Albion Online, the website or the forum. However, they conceded that there is “a small possibility [the leaked data] could be used to identify accounts with particularly weak passwords”.

Since the studio used best practices in encrypting the passwords, the risk of the credentials being used to hack into other systems is very low. However, armed with user profile information and email addresses, the hackers could craft targeted messages at players in the form of phishing attacks.

In response to the data breach, the studio has notified forum members about the intrusion and directed them to reset their passwords. Further, the company has notified the authorities and have addressed the bug in the forum that was exploited in the attack.

“We have already closed the vulnerability and are now running additional checks to ensure the integrity of our systems. Because the safety of your data is a top priority for us, we will also be executing a full security review of all our systems to ensure your information remains absolutely safe,” concluded the forum post.

Sandbox Interactive has not yet disclosed the number of accounts compromised in the attack.