McDonald’s Chatbot Recruitment Platform Exposed 64 Million Job Applications

Two vulnerabilities in an internal API allowed unauthorized access to contacts and chats, exposing the information of 64 million McDonald’s applicants.

Vulnerabilities in the McDonald’s chatbot recruitment platform McHire exposed the personal information of over 64 million job applicants, security researchers Ian Carroll and Sam Curry discovered.

When accessing the platform, prospective McDonald’s employees chat with a bot created by Paradox.ai, which did not remove the default credentials for a test account and failed to properly secure an API that allowed access to the chat interactions of every applicant.

The McHire platform, Carroll explains, enables restaurant owners to log in to view applications, and forces Single Sign-On (SSO) for McDonald’s. However, a sign-in page for Paradox team members allowed logging into a ‘123456’ user account, with the ‘123456’ password.

“It turned out we had become the administrator of a test restaurant inside the McHire system ...