McDonald's AI Hiring Bot "Hides" Applicants' Information behind "123456" Password

Everybody in corporate goes through dozens of security trainings every year, but McDonald's is far from this culture, it seems. Its AI hiring platform McHire, built by Paradox.ai, asks candidates for a lot of information through a bot named Olivia but doesn't hold on to it as diligently as she's supposed to.

Security researchers Ian Carroll and Sam Curry found out that they could enter the McHire administration interface with the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API gve them access any contacts and chats.

"Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants."

Carroll and Curry got interested in the system when they saw complaints on Reddit of the bot responding with nonsensical answers, so they decided to investigate. They noticed that restaurant owners can login to view applicants, and, without much hope, entered 123456 as both the username and password.

Now imagine their surprise when this combination, which countless IT security courses warn you against, let them in! 

The information they could see included a candidate's name, email address, phone number, address, candidacy state, and an auth token to log into the consumer UI as that user.

The duo contacted McDonald's and Paradox.ai, and the login data has been changed. However, this makes you wonder where else you could get with similar credentials.

Find the post with images here and join our 80 Level Talent platform and our new Discord server, follow us on Instagram, Twitter, LinkedIn, Telegram, TikTok, and Threads, where we share breakdowns, the latest news, awesome artworks, and more.