McDonald’s AI bot spills data on job applicants

McDonald’s has outsourced the initial stages of its hiring process to an AI chatbot which seems to have been built without proper security measures.

Security researchers managed to extract personal information about McDonald’s job applicants by simply guessing a username and the password “12345.” In doing this, the researchers could have potentially gained access to the information of 64 million applicants.

According to Wired, 90% of all McDonald’s franchisees use McHire to get information from their applicants and send them to a personality test. Annoyingly, the McHire chatbot has been a thorn in the side of many aspiring McDonald’s employee because of its inability to understand or answer any questions that fall outside of its script.

That’s an aspect that many chatbots have in common, unfortunately. But spilling the McBeans about everyone that ever applied should not be on the menu.

What the researchers did to test the security was create a fake application of their own and have a look at the McHire administration interface for restaurant owners.

The application procedure did not yield any results when the researchers tried to prompt inject the chatbot. Attackers use prompt injection to feed chatbots or AI systems sneaky messages disguised as normal questions or instructions. These messages trick the AI into ignoring its usual rules and doing things it shouldn’t. However, this tactic failed here because the researchers got stuck at the point where a real person would normally take over the interview process.

So, the researchers turned their attention to the back end. They found a web page that restaurant owners can use to login to view applicants. Much to their surprise it accepted the default credentials 123456:123456 which gave them access to the administrator account of a test restaurant inside the McHire system.

When they decided to look at the application they put in earlier, they noticed a flaw in the API (Application Programming Interface) that provided access to “virtually every application that’s ever been made to McDonald’s going back years.”

It took them all of 30 minutes to find this information. The researchers only accessed a small sample of records and verified their validity by contacting applicants. These people confirmed they had applied, supporting the claim that the data was genuine and extensive.

McHire is a product of Paradox.ai. To McDonald’s credit, it promptly remediated the vulnerability and committed to further reviews to identify and close any remaining avenues of exploitation. There are also no indications that this vulnerability was found by cybercriminals before it was patched.

Protecting yourself after a data breach

While there are no indications that this vulnerability was found by cybercriminals before it was patched, it might have been. There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online and helps you recover after.