When security researchers Ian Carroll and Sam Curry decided to try to hack into the backend of McDonald’s AI chatbot last Monday, June 30, they didn’t anticipate just how easy it would be.
McDonald’s uses the AI chatbot to hire new employees, and in just half an hour, they had “full access to virtually every application that’s ever been made to McDonald’s going back years,” Carroll told Wired. They shared their process on their blog on Wednesday.
Carroll and Curry were chatting with “Olivia,” the AI hiring manager for the Golden Arches and created by Paradox.ai, when they discovered a login link for staff at Paradox.ai on the website McHire.com.
In just two tries, they successfully guessed the username and the password (“123456”). The two had gained administrator access to the hiring platform. They found another link—this one brought them to the data they had just shared with “Olivia.” It didn’t take much to realize they could randomize the applicant ID number to see names, email addresses, and phone numbers of any of the other job postings shared with the chatbot. They told Wired that the listings seemed to number up to 64 million.
Paradox.ai has since made a blog post acknowledging the security breach, which assures that the loophole was not discovered by any actors outside of the researchers and that the researchers only accessed the data of the handful of applicants they used to confirm the authenticity of the data. They told Wired that they are creating a “bug bounty program” to do their own security research.
“We do not take this matter lightly, even though it was resolved swiftly and effectively,” Paradox.ai’s chief legal officer, Stephanie King, told Wired. “We own this.”
In a written statement to Wired, McDonald’s added that the blame started and ended with Paradox.ai and that the breach was resolved immediately.
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us,” the statement reads. “We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”
The post Hackers Used Simple Password to Access McDonald’s AI Hiring Bot Applicant Data appeared first on The Daily Beast.
