McHire.com - McDonald's Hiring Chatbot - Leaked Data on 64 Million Job Applicants

Hiring platform McHire.com, used by fast food giant McDonald's, has exposed information on more than 64 million job applicants, according to security researchers. 

It turns out that not every chatbot is created equal – some are less good than others, to put it mildly. Some applicants have already complained about how bad the Olivia chatbot is at its job. 

The idea is simple. The user accesses the website and talks directly with the chatbot to apply for a job. This should be followed by a call from a real person. When security researchers Ian Carroll and Sam Curry saw the ridiculous answers it gave, they figured it wouldn't hurt to see how its security is fairing.

It's fair to say that the security wasn't faring well

"During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted," said the researchers.

"Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants."

The problem begins with the fact that restaurant owners can log in to the platform, just like users. On a whim, the researchers wrote "123456" as the username and "123456" as the password. To their surprise, they were in.

This was actually a test account, but it showed the platform’s security was lacking.

After they applied for jobs on the platform, they noticed a strange request from an API.

"The main parameter of this request was the lead_id of the chat, which for our test applicant was about 64,185,742. We tried decrementing this number, and were immediately faced with PII from another McDonald's applicant (including "unmasked" contact data)!" wrote the researchers.

It turns out that private information on more than 64 million applicants was available to anyone with a little effort. However, there's no indication that the information was actually accessed by other parties, except the two researchers.

The information included the following: 

• Name, email address, phone number, and address
• Candidacy state and every state change/form input the candidate had submitted (shifts they could work, etc)
• Auth token to log into the consumer UI as that user, leaking their raw chat messages and presumably other information