Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Researchers were able to access the hiring chatbot’s back end after finding it was protected by a default password: “123456”.
Infosec researchers have discovered a critical security flaw in McDonald’s hiring process after using a default password to access the admin side of its hiring chatbot platform.
Security researchers Ian Carroll and Sam Curry published their findings after they were able to access the administrator page of the fast-food chain’s McHire platform, exposing 64 million hiring chats.
McHire uses a chatbot created by Paradox.ai called Olivia, which collects the personal information and shift preferences from potential job candidates, as well as administers personality tests. However, after seeing a number of Reddit users report the bot responding strangely, Carroll and Curry began investigating.
The two began by applying for a job through the McHire platform, where they were quickly directed to Olivia. While the researchers found the personality test “disturbing” after asking if they liked overtime, they were unable to make any progress.
However, they discovered that the McHire platform for restaurant owners also allowed for Parados team members to log in. The two attempted using 123456 as login credentials and soon found themselves logged in as the administrator of a test restaurant, where the employees were Paradox.ai staff.
“During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials [123456:123456], and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted,” the pair said.
“Together, they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.”
This data included the name, email, phone number, and address of each applicant, as well as the candidacy state and every state change and form input of the candidate, such as their shift availability, and their raw chat messages.
Upon discovering the flaw, the researchers disclosed it to both McDonald’s and Paradox.ai, but they had to email “random people” as there were no disclosure contacts.
“The Paradox.ai security page just says that we do not have to worry about security,” the two added.
Once the disclosure reached Paradox.ai, the issue was patched, and the company “committed to further reviews to identify and close any remaining avenues of exploitation”.
Be the first to hear the latest developments in the cyber industry.
