- McDonald’s recently presented a new hiring platform called Mchire
- Use a chatbot with AI that collects curriculums, CVS and contact data
- The researchers made a session easily in the backend and obtain all the data stored by the AI
A vulnerability of the third -party supply chain presented confidential data in 64 million people who requested to work with McDonald’s, they said.
The company recently introduced a new hiring platform with AI, courtesy of Partners Paradox.AI. Called Mchire, he presented Olivia, a chatbot to Ia that shows the applicants, brings together their contact information, CVS and curriculums, and makes them do a personality test.
The dedicated website, Mchire.com, had a login link, which two security researchers, Ian Carroll and Sam Curry, used to log in to the Backend. They tried to guess the password, and after a failed first attempt (go with “administrator” for the user and password name fields), they succeeded in the second, using “123456” in both fields.
Connecting the hole
Although it could be a shock for some, said Carroll Cabling Easy passwords to understand how they are “more common than you think.”
In fact, over the years, there were innumerable reports of security experts, warning about the use of passwords such as “password”, “Iloveyou”, “123456”, “Qwerty” and the like.
Upon reaching the backend, they accessed all the data harvested by the platform, including the personal identification information shared in CVS and curriculums: names, email addresses and telephone numbers. In total, 64 million records were exposed.
While stealing names, emails and telephone numbers may not seem much, cybercriminals can use it to create very convincing phishing attacks, especially knowing that the victims requested a job in McDonald’s at some point.
This can lead to more destructive malware and ransomware attacks, identity theft and even wire fraud.
As soon as the discovery was made, the paradox was notified and quickly plugged the hole. The company told Wired that “only a fraction of the records” accessed by the researchers contained personal information, and that the hole was not previously seen by anyone else.
