Recently, cybersecurity researchers have revealed a serious vulnerability in McDonald's chatbot system used for job applications, which put over 64 million job application records in the U.S. at risk of leakage due to an overly simple password.
What is McHire?
McHire, developed by Paradox.ai, is used by more than 90% of McDonald's franchises across the U.S. to streamline job submissions through a chatbot called “Olivia.” Applicants are asked to provide their name, email, phone number, address, and complete a personality test.
What Caused the Vulnerability?
Security researchers Ian Carroll and Sam Curry discovered that the McHire admin panel used a test account where both the username and password were simply “123456.” This is an extremely easy-to-guess password that should never be used in any system.
They submitted a test application and noticed the system sent data to an API that used a parameter called lead_id. By simply increasing or decreasing the number slightly, they could retrieve full records of other real applicants. The platform did not check user authorization before giving access to those records.
This vulnerability is called IDOR (Insecure Direct Object Reference), which often occurs when an application allows access to data simply by changing an ID without properly checking if the user has permission.
What Data Was Leaked?
By incrementing or decrementing the lead_id, researchers were able to access:
- Full chat history in the chatbot
- Personal details of real applicants (name, email, phone number, address)
- Session Tokens that could be used to access the system later
How did McDonald’s and Paradox.ai respond?
This vulnerability was reported to McDonald's and Paradox.ai on June 30th. McDonald's confirmed receipt within one hour and immediately disabled the default administrator account. Meanwhile, Paradox.ai promptly patched the vulnerability and began reviewing its entire system to prevent similar issues from recurring.
Paradox.ai clarified that some leaked data involved only clicks or interactions with the chatbot, rather than fully entered personal information.
Key lessons from this incident
This case shows why it's critical to build secure systems. Developers should avoid weak passwords, check user permissions before granting access, and run regular security tests to catch vulnerabilities early.
For users, this case is a reminder to stay alert when entering personal data. Even trusted platforms can have flaws. It's safer to use services that clearly focus on protecting your privacy.
_____________________________________________________________________________________________________________________________________________________________________
Source: https://www.bleepingcomputer.com/news/security/123456-password-exposed-chats-for-64-million-mcdonalds-job-chatbot-applications/