Get the latest tech news

Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications


When applying for a job at McDonald's, over 90% of franchises use "Olivia," an AI-powered chatbot. We discovered a vulnerability that could allow an attacker to access more than 64 million job applications. This data includes applicants' names, resumes, email addresses, phone numbers, and personality test results.

During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. We tried to prompt inject the Olivia chatbot, which likely ruined our chance at a human approving us, but it seemed to be locked to a list of pre-set responses or something similar, and there were no interesting APIs for the candidates. After our outreach reached the appropriate people, the Paradox.ai team engaged with us, emphasized that safeguarding candidate and client data was their top priority, promptly remediated the vulnerability, and committed to further reviews to identify and close any remaining avenues of exploitation.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of job applications

job applications

Photo of idor

idor

Photo of m mcdonald

m mcdonald

Related news:

News photo

Anthropic Asks Job Applicants Not To Use AI In Job Applications

News photo

AI Company Asks Job Applicants Not to Use AI in Job Applications

News photo

Recruiters find AI use has become rampant in job applications