McDonald's Leaks Password For Monopoly VIP Database To Winners (bleepingcomputer.com) 33
A bug in the McDonald's Monopoly VIP game in the United Kingdom caused the login names and passwords for the game's database to be sent to all winners. BleepingComputer reports: After skipping a year due to COVID-19, McDonald's UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include 100,000 pounds in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more. Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners.
An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.
An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.
That's ok. (Score:5, Funny)
Re:That's ok. (Score:5, Interesting)
For those who don't get it, there was a scandal involving the Monopoly game where a security guard stole the winning pieces and sold them to family and friends. Basically McD's would print unlimited quantities of two of the three properties (or 3 of 4 railways) and a special printing would control the number of final pieces to complete the set to win the prize. That's why everyone is always missing the same piece of every set. The winning piece would be hand carried to the production facility where they were supposed to be randomly inserted among the other stickers.
Of course, ask Pepsi on how to screw it up, for they managed to make a winning piece an unlimited printing piece and had thousands of Philippinoes rioting because Pepsi refused to honor the win.
The Monopoly scandal happened between 1989 through 2001.
https://en.wikipedia.org/wiki/... [wikipedia.org]
It's been well reported as well, apparently there's a documentary on it as well. But since they were sold to family and friends, "they all knew each other".
Re: (Score:2)
Re: (Score:2)
Ooo OOo oooh!
Do American Pie next! :P
(Just kidding, there's enough out there breaking it all down)
Yo Grark
To add insult to injury (Score:1)
The database table was called LUCKY_LARDASSES.
Re: (Score:3)
Re: (Score:2)
No mod points or I'd hit you with funny. Congrats, you actually got me to laugh out loud. *GOLF CLAP*
License to compute. (Score:3)
Whew! Thank goodness using computers is easy.
Re: (Score:2)
I failed my exam twice because I forgot to scroll both ways on an article prior to commenting.
Hackers sentenced (Score:5, Funny)
Go directly to jail, do not pass Go.
What McDonalds needs to leak (Score:3, Informative)
The password for the McFlurry machines that gets iemployees into tbe 'secret' diagnostic menu, the one that can actually be used to ensure that franchise owners don't have to call "the guy" to 'fix' it to the tune of hundereds of dollars per visit.
5-2-3-1 (Score:2)
5-2-3-1
found the service manual (Score:4, Informative)
https://static-pt.com/modelMan... [static-pt.com]
Re: found the service manual (Score:2)
Wait until the next firmware upgrade, "to make the machine better" (worse). It would't surprise me in the least if the password is changed and omitted from the manual.
Outsource Ops they said (Score:2)
Outsource support they said.
Outsource all the programming they said.
Think of all the money we'll save they said.
Oops. (Again)
Mistakes were made, lessons were (probably not) learned.
Wha ... (Score:2)
... why would you ever program this information into an email to be sent out? What the whattting what?
(Yeah, I get it, it's an error message ... but why is it appearing in the body of an email, instead of a log file? {peeks at image again] ... oh ... it's .NET. Nevermind.)
Re: (Score:3)
I remember a decade or so ago, when one of our Windows admins told me all about how Sharepoint and the like were going to render computer administrative and programming jobs obsolete.
I hadn’t kept track of him in the years since, but apparently he’s now working for McDonalds’ computing group.
Re: (Score:1)
Re: (Score:2)
Strictly speaking, a password should never be stored in plaintext anyway. There's no need to, and not doing so precludes any kind of programming mishap revealing the password.
Knowledgeable have known this for decades. When I learned about Unix's /etc/passwd file in the mid 70s, passwords were already being stored as salted hashes. It was common knowledge among Unix programmers that storing plaintext passwords was a bad practice that was easy to avoid.
Prizes (Score:2)
If this was only sent to winners, who's to say that the database passwords weren't one of the prizes?
Re: (Score:2)
"Your honor, I thought it was like Charlie and the Chocolate Factory and I was being given an exclusive digital tour of the inner workings of the facility."
Might fly. Practice your Matt Damon voice first.
Silver lining ... (Score:2)
... looks like they use strong(ish) passwords.
a la M. Python:
Some things in life are bad
They can really make you mad
Other things just make you swear and curse
When you're chewing on life's gristle
Don't grumble, give a whistle
And this'll help things turn out for the best
And
Always look on the bright side of life
Always look on the light side of life
give the cash prize to St. Jude’s and take t (Score:2)
give the cash prize to St. Jude’s and take the rest for your self.
Bug? More like abysmal incompetence... (Score:2)
An I mean abysmal incompetence in the _managers_ that hired the morons that screwed up this badly. Obviously these morons should not have been let anywhere near a computer.
To understand the magnitude of the screw-up, you just need to remember that passwords are, if done halfway competently, only stored hashed, salted and iterated, these days best with ARGON 2. They also should be kept separate from the application data. Obviously, the passwords here were stored simply in plain in the application database. T
Re: (Score:2)
Hashed passwords are stored in a database for letting users in. But that's not what these were. These were the passwords that back-end software used to access the database. Why it was even in the same struct/JSON/whatever together with the rest of the connection info is bad enough, but why the DB connect info with passwords was simply spewed into an e-mail is a total WTF. Even if it was something leftover from debugging, there's no reason to leave the passwords in that info.
And apparently they used the sam
Re: (Score:2)
When I do software reviews I flag tons of instances of 'unsafe exception handling'
Usually they have a pseudo code form like
Try { somethingFrom1000FeetUp(); } rescue(Exception, e) { messageUserSomeHow("Something went wrong: " + e.msg); SomeSingleton.logger(e);}
I usually get a lot of push back but my comment is - you have no idea what all is wrapped up in e.message unless you can be certain that the thing throwing the exception is something you wrote and messages are always safe to to present to the user. If
Re: (Score:2)
Yes, people doing this are really "special". If you need to actually log that data, place it in a secured log and just send the user a reference.
This is on the level of somebody learning the language (where it is fine). People doing this in production have not the slightest clue about security though. Even if it is secure at the time it was written, somebody may just add things on a lower level later without knowing that this stupid thing will expose them.
Re: (Score:2)
That is even more incompetent, agreed. Obviously no active intelligence was used to come up with that design.
Internet accessible database server (Score:1)
Modern software engineering. (Score:2)
Those new kids (Score:2)
Don't they know that the proper English way to do that is to forget a paper copy at the bus-stop or the underground?