Security researchers have uncovered glaring vulnerabilities in the “McHire” AI chatbot used by McDonald’s to hire workers, potentially exposing the personal information of approximately 64 million job applicants.
Tom’s Hardware reports that security researchers Ian Carroll and Sam Curry have discovered critical flaws in the McHire chatbot, developed by Paradox.ai for McDonald’s, which could have been exploited to access sensitive data of millions of job applicants. The chatbot, known as Olivia, is reportedly used by 90 percent of McDonald’s franchises in the United States to streamline their hiring processes.
The first vulnerability came to light when the researchers successfully guessed the password used by Paradox team members to access McHire: “123456.” This weak password allowed Carroll and Curry to gain administrator access to a test restaurant within the McHire system. While this initial access only revealed employees of Paradox.ai, it provided valuable insights into the workings of the application.
However, the real concern emerged with the discovery of a second vulnerability. An insecure direct object reference (IDOR) flaw in the McHire API enabled the researchers to access a wealth of personal information from every chat interaction involving individuals who had ever applied for a job at McDonald’s. This exposed data included names, email addresses, phone numbers, addresses, candidacy states, form inputs such as preferred shifts, and even authentication tokens that could be used to log into the consumer UI and view raw chat messages.
The scale of the potential data breach is staggering, given that Paradox had previously touted McHire’s adoption by 90 percent of McDonald’s franchises. With McDonald’s boasting a market cap of $213 billion and Paradox having raised $200 million in 2020, the use of such a weak password and the presence of the IDOR flaw raise serious questions about the companies’ commitment to data security.
Fortunately, Carroll and Curry reported the vulnerabilities to Paradox, and the company addressed the issues within a day of disclosure. However, the incident serves as a stark reminder of the importance of implementing robust security measures, especially when handling sensitive personal information.
The exposure of personal data belonging to millions of job applicants is a major concern, as it could potentially lead to identity theft, phishing attempts, or other malicious activities. It is crucial for companies, particularly those dealing with vast amounts of user data, to prioritize security and adopt stringent password policies and secure coding practices.
Read more at Tom’s Hardware here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship.
