64M McDonald’s Job Chatbot Logs Exposed by ‘123456’ Password
▼ Summary
– Cybersecurity researchers found a vulnerability in McDonald’s McHire chatbot platform, exposing over 64 million job applications in the U.S.
– The flaw involved weak admin credentials (“123456:123456”) and an IDOR vulnerability allowing access to applicant chats and personal data.
– McHire, powered by Paradox.ai, collects applicant details like names, emails, and addresses through its chatbot Olivia.
– Researchers exploited the IDOR flaw by manipulating the `lead_id` parameter, revealing sensitive data without authorization checks.
– McDonald’s and Paradox.ai quickly addressed the issue, disabling default credentials and fixing the IDOR flaw after being notified.
A major security lapse in McDonald’s job application chatbot exposed sensitive data from over 64 million interactions due to shockingly weak credentials. Cybersecurity experts uncovered that the fast-food giant’s hiring platform, McHire, left applicant information vulnerable through basic security oversights.
The vulnerability stemmed from two critical failures in the system developed by third-party provider Paradox.ai. Researchers Ian Carroll and Sam Curry discovered the platform’s admin panel for a test franchise used the laughably simple login combination “123456” for both username and password. Worse still, the system contained an insecure direct object reference (IDOR) flaw that allowed access to private applicant data by simply changing numbers in the web address.
McHire’s chatbot, named Olivia, handles job applications for approximately 90% of McDonald’s U.S. franchise locations. The automated system collects extensive personal details including full names, contact information, home addresses, and even personality test results from potential employees.
During their investigation, the security team noticed something alarming. By adjusting the numerical identifier in the web address after submitting a test application, they could view complete chat histories and personal details from other candidates. The lead_id parameter in the URL revealed they were dealing with application number 64,185,742 – indicating the massive scale of exposed records.
“This combination of weak credentials and an IDOR vulnerability created a perfect storm,” Carroll noted in his technical analysis. The flaws meant anyone with basic technical knowledge could potentially access millions of confidential applicant conversations and personal details without proper authorization.
McDonald’s responded swiftly when notified on June 30, forcing Paradox.ai to implement emergency fixes within hours. The fast-food chain expressed frustration with its vendor, stating the vulnerability was “unacceptable” while emphasizing the issue was resolved the same day it was reported.
Paradox.ai confirmed deploying patches to secure the system and initiated a comprehensive security review. The company clarified that exposed data included all chatbot interactions, even simple button clicks where users didn’t submit personal information. This distinction explains why the 64 million figure represents application sessions rather than unique individuals.
The incident highlights how third-party vendor risks and basic security hygiene failures can create massive data exposure. While no evidence suggests malicious actors exploited the vulnerability before its discovery, the case serves as a stark reminder about the importance of robust authentication protocols and proper access controls in recruitment systems handling sensitive personal data.
(Source: Bleeping Computer)
