David Bridges
A recruitment platform utilized by McDonald’s has come under fire for its inadequate cybersecurity measures, with researchers managing to access the platform using a well-known non-password. This alarming breach facilitated access to sensitive information regarding tens of millions of job applicants, including their contact information and chat logs exchanged between the users and the restaurant’s AI chatbot.
The platform in question, known as McHire, features a chatbot named Olivia. Job seekers interact with Olivia, who evaluates their suitability for roles within the fast-food chain through a personality assessment. This chatbot was developed by Paradox.ai, a company specializing in recruitment technology.
Security experts Sam Curry and Ian Carroll discovered that by simply using the username and password combination of 123456, they could gain entry into the application. Upon logging in, they were privy to a wealth of information pertaining to job applicants. In fact, Curry and Carroll reported the ability to access the personal data of over 64 million applicants, highlighting the severity of the breach.
Their findings are both amusing and alarming. The researchers shared their experience by stating:
“Without much thought, we entered ‘123456’ as the username and ‘123456’ as the password and were surprised to see we were immediately logged in! It turned out we had become the administrator of a test restaurant inside the McHire system.
The exposed information encompassed names, email addresses, phone numbers, physical addresses, the states where the candidates resided, and the authentication tokens they utilized to access the website. Furthermore, Curry and Carroll were able to view “every chat interaction [from every person] that has ever occurred with applicants for positions at McDonald’s.”
This incident is undeniably embarrassing, yet it reflects a broader trend where cybersecurity is often not prioritized within the corporate sector, leading to frequent hacking incidents. Many software applications are developed with little regard for security, making them vulnerable to breaches. However, the level of negligence displayed in this case is particularly troubling and should serve as a wake-up call for all parties involved.
Curry and Carroll reported the security vulnerabilities to both Paradox.ai and McDonald’s on June 30th. On the same day, the fast-food chain acknowledged that the compromised credentials were no longer valid for accessing the application. By July 1st, Paradox.ai had informed the researchers that the issues had been “resolved.” In a subsequent blog post, Paradox detailed the events: “On June 30, two security researchers contacted the Paradox team regarding a vulnerability in our system. We promptly investigated and addressed the issue within hours of notification.”
Using a legacy password, the researchers logged into a Paradox test account associated with a single Paradox client instance. We have since updated our password security protocols since the account’s inception, but the password for this particular test account had never been modified. Once logged into the test account, the researchers identified an API endpoint vulnerability that enabled access to information concerning chat interactions within the affected client instance. Regrettably, our previous penetration tests did not uncover this issue.
Gizmodo has reached out to both companies for further details on this significant breach.
Brandon Fletcher
