- McDonald’s recently introduced a new job platform called Mchire
- He uses a chatbot powered by AI that collects curriculum vitae, CVs and contact data
- The researchers managed to easily connect to the backend and obtain all the data stored by the AI
Vulnerability of the third -party supply chain has exhibited sensitive data on 64 million people who applied to work with McDonald’s, experts said.
The company recently presented a new hiring platform fueled by AI, graciousness of paradox.ai partners. Called mchire, he presented Olivia, a chatbot fed by AI who screws the candidates, brings together their coordinates, CVS and Curriculum Vitae and makes them do a personality test.
The dedicated website, Mchire.com, had a connection link, that two safety researchers – Ian Carroll and Sam Curry – used to connect to the backend. They tried to guess the password, and after a first unsuccessful attempt (go with “admin” for the user and password fields), they succeeded in the second – using “123456” in both fields.
Hole
Although it may be a shock for some, Carroll said Cable Easy to guess passwords like this are “more common than you think”.
Indeed, over the years, there have been countless safety expert reports, warning of the use of passwords such as “password”, “iloveyou”, “123456”, “Qwerty” and similar.
Reaching backend, they have accessed all the data collected by the platform, including personally identifiable information shared in CV and curriculum vitae: names, email addresses and telephone numbers. A total of 64 million files were exposed.
While stealing names, emails and telephone numbers may not seem much, cybercriminals can use it to create very convincing phishing attacks, in particular knowing that the victims applied for a job at McDonald’s at some point.
This can lead to malware and more destructive ransomware attacks, identity theft and even wire fraud.
As soon as the discovery was made, Paradox was informed and quickly connected the hole. The company told Wired that “only a fraction of the files” to which the researchers accessible contained personal information and that the hole was previously spotted by anyone else.
