winjer
Member

McDonald's AI hiring chatbot exposed data of 64 million applicants with "123456" password
Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and...

Security researcher Ian Carroll successfully logged into an administrative account for Paradox.ai, the company that built McDonald's AI job interviewer, using "123456" as both a username and password. Examining the internal site's code quickly granted access to raw text from every chat it ever conducted.
Job applications at 90 percent of McDonald's franchises conduct interviews with Paradox's AI chatbot, named Olivia. The AI collects names, locations, email addresses, phone numbers, shift availability, and other personal information before conducting rudimentary personality tests. Human overseers view and access this information using Paradox administrative accounts.
Although McDonald's hiring website attempts to push users toward a single sign-on, Carroll noticed a link in small text that led to a separate Paradox employee login page. Shockingly, it accepted the default username and password, immediately revealing the system's inner workings.
After discovering an API in the site's code, Carroll decremented the main parameter of an XHR request for a test chat, which granted access to Olivia's chat history for 64 million applicants. In addition to personal data, the leak also reveals authentication tokens and changes to employment status.
Moreover, when Carroll attempted to alert Paradox to the breach, he was unable to find a security disclosure contact. The company's security page mostly consists of a simple assurance that users shouldn't need to worry about security. Eventually, after the researchers emailed "random people," Paradox and McDonald's confirmed that they resolved the issue in early July.
What a major screw up.
