CyberSecurity news
FlagThis
@www.csoonline.com
//
McDonald's AI-powered hiring platform, McHire, has been found to have a significant data breach affecting an estimated 64 million job applicants. Security researchers Ian Carroll and Sam Curry uncovered a critical vulnerability stemming from elementary security oversights. The core of the problem lay in the use of a default administrator password, specifically '123456', which granted unauthorized access to sensitive applicant information. This, combined with an insecure direct object reference (IDOR) vulnerability in an internal API, allowed individuals with a McHire account to potentially access any inbox and retrieve personal data of millions of job seekers.
The breach revealed how easily this information could be accessed. By exploiting a hidden API within the McHire system, researchers were able to view applicant chat data. A simple modification to a request, by changing a number referred to as the "lead_id", allowed them to view personal details such as names, email addresses, phone numbers, and job application specifics from actual McDonald's applicants. The security flaw also exposed internal employee data from Paradox.ai, the AI software firm that built the McHire system, after researchers gained admin access to a test restaurant account using the default credentials.
The security researchers disclosed their findings, and the issue was reportedly patched swiftly after disclosure. This incident highlights the ongoing cybersecurity challenges faced by even large organizations, particularly when implementing new technologies like AI in their operations. The compromise of the McHire platform underscores the importance of robust security practices, including the mandatory use of strong, unique passwords and secure API development, to protect sensitive personal information in an increasingly digital world.
ImgSrc: www.csoonline.c
References :
The breach revealed how easily this information could be accessed. By exploiting a hidden API within the McHire system, researchers were able to view applicant chat data. A simple modification to a request, by changing a number referred to as the "lead_id", allowed them to view personal details such as names, email addresses, phone numbers, and job application specifics from actual McDonald's applicants. The security flaw also exposed internal employee data from Paradox.ai, the AI software firm that built the McHire system, after researchers gained admin access to a test restaurant account using the default credentials.
The security researchers disclosed their findings, and the issue was reportedly patched swiftly after disclosure. This incident highlights the ongoing cybersecurity challenges faced by even large organizations, particularly when implementing new technologies like AI in their operations. The compromise of the McHire platform underscores the importance of robust security practices, including the mandatory use of strong, unique passwords and secure API development, to protect sensitive personal information in an increasingly digital world.
ImgSrc: www.csoonline.c
Share:
References :
- PrivacyDigest: McDonald’s Exposed Millions of Applicants' Data to Using the ‘123456’
- Talkback Resources: McDonald’s job app exposes data of 64 Million applicants
- www.csoonline.com: McDonald’s AI hiring tool’s password ‘123456’: Exposes data of 64M applicants
Classification:
- HashTags: #McDonalds #DataBreach #AIHiring
- Company: McDonald's
- Target: McDonald's
- Product: McHire
- Feature: Default Password
- Type: DataBreach
- Severity: Major