McDonald’s Job Application Chatbot Exposed Data of Over 64 Million Applicants

A significant data breach affecting McDonald’s job applicants has been revealed, exposing the personal information of more than 64 million individuals across the United States. The vulnerability, discovered in McHire – the fast-food giant’s chatbot job application platform – stemmed from shockingly weak security protocols and a critical flaw in how the system handled user data.

The issue was identified by cybersecurity researchers Ian Carroll and Sam Curry, who found the administrative panel for the chatbot utilized default credentials: a login name and password of “123456.” This alarming lapse in security provided access to a test franchise, opening the door to a much larger problem.

McHire, powered by the artificial intelligence platform Paradox.ai and utilized by approximately 90% of McDonald’s franchisees, relies on a chatbot named Olivia to collect applications. Applicants are prompted to submit sensitive data including names, email addresses, phone numbers, home addresses, and availability, as well as complete a personality assessment.

During testing, the researchers observed that HTTP requests were directed to a specific API endpoint – /api/lead/cem-xhr – which included a parameter called “lead_id.” Initially set at 64,185,742, this parameter proved to be the key to the breach. By systematically incrementing and decrementing the lead_id, the researchers were able to access the complete chat transcripts, session tokens, and personal data of numerous applicants who had previously used the McHire platform.

This type of security flaw is known as an Insecure Direct Object Reference (IDOR) vulnerability. It occurs when an application reveals internal identifiers without verifying whether the user requesting the data is authorized to view it. “During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted,” Carroll explained. “Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.”

The vulnerability was reported to Paradox.ai and McDonald’s on June 30th. McDonald’s responded swiftly, acknowledging the report within an hour and disabling the default administrative credentials shortly thereafter.

“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai,” a McDonald’s spokesperson told Wired. “As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.”

Paradox.ai subsequently deployed a fix to address the IDOR flaw and confirmed the vulnerability had been mitigated. The company has also initiated a comprehensive review of its systems to prevent similar incidents from occurring in the future. According to a statement provided to BleepingComputer, Paradox.ai confirmed that the exposed data included all chatbot interactions, even those without direct personal information input, such as button clicks.

This incident underscores the critical importance of robust security measures, even in seemingly simple applications. The ease with which researchers were able to access sensitive data highlights the potential risks associated with weak credentials and inadequate access controls, serving as a stark reminder for organizations to prioritize cybersecurity best practices.