Serious Security Flaw Found in McDonald’s AI Chatbot
Security researchers have pointed out a significant vulnerability in the “MCHIRE” AI chatbot utilized by McDonald’s for hiring, potentially exposing the personal information of about 64 million job applicants.
Researchers Ian Carroll and Sam Curry uncovered a major issue with the MCHIRE Chatbot, created by Paradox.ai for McDonald’s. This chatbot, named Olivia, is reportedly employed by 90% of McDonald’s franchises across the United States to streamline their hiring processes.
The first red flag appeared when the researchers guessed the password for accessing MCHIRE, which turned out to be the easily guessed “123456.” This weak security measure allowed them to gain entry to a test restaurant within the MCHIRE system. Initially, this access was limited to information on Paradox.ai employees, but it provided crucial insights into the application’s functionality.
More alarmingly, they discovered a second vulnerability. The direct object reference (IDOR) flaws in the MCHIRE API permitted the researchers to obtain a large volume of personal data from all chat interactions linked to job applications at McDonald’s. The leaked data included names, email addresses, phone numbers, home addresses, application status, shift priorities, and even an authentication token that would allow access to the consumer interface and live chat messages.
The potential scope of this data breach is staggering, especially since Paradox previously reported that their MCHIRE system was adopted by 90% of McDonald’s franchises. Given McDonald’s market capitalization of $213 billion and Paradox’s $200 million fundraising in 2020, the use of such a weak password alongside IDOR flaws raises significant questions regarding data security practices.
Fortunately, Carroll and Curry promptly reported the vulnerabilities to Paradox, which managed to resolve the issue within a day. Nonetheless, this incident highlights the pressing need for strong security practices, particularly when handling sensitive personal data.
The exposure of personal information belonging to millions of job seekers poses serious risks, including identity theft and potential phishing attempts. It’s crucial for businesses dealing with large volumes of user data to emphasize security, establish stringent password protocols, and adhere to secure coding practices.
