In a major cybersecurity lapse, researchers uncovered a vulnerability in McHire—McDonald’s chatbot-driven hiring platform—that exposed sensitive information tied to over 64 million job applicants across the U.S.
The flaw was discovered by security researchers Ian Carroll and Sam Curry, who were examining the platform's security features. What they found was alarming: the admin panel of McHire’s test franchise was protected by one of the weakest credential combinations imaginable — username: 123456, password: 123456.
McHire, powered by Paradox.ai, is used by nearly 90% of McDonald’s franchisees to simplify the hiring process. Applicants use a chatbot named Olivia to submit job applications, which collect personal information.
To better understand the process, the researchers created a fake application on the platform’s test franchise. What they discovered next was a serious security flaw.
The researchers found that simply tweaking a number in a URL parameter—called lead_id—would expose other applicants’ chat transcripts, personal data, and even session tokens. This kind of vulnerability is known as an IDOR (Insecure Direct Object Reference), where users can access data they’re not supposed to see just by changing an internal identifier.
“In just a few hours of looking, we found two major issues:
The admin interface used the default login
123456:123456, andAn internal API allowed us to access any chat or contact by manipulating a number,” explained Carroll in a public write-up.
Together, these two flaws meant that anyone with a McHire account and access to the system could view the personal data of millions of real job applicants—completely unauthorized.
The researchers reported the issue on June 30 to both Paradox.ai and McDonald’s. To their credit, McDonald’s responded within an hour, and the weak default login credentials were disabled the same day.
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated immediate remediation, and the issue was resolved that same day,” McDonald’s told Wired in a statement.
Paradox.ai immediately patched the IDOR vulnerability and attested that the issue was resolved. They further added that they are performing a complete audit of their systems so that such security failures don't recur again.
This incident serves as a grim reminder that even big and well-established corporations can be hit by major security lapses—particularly when they are using third-party platforms. Here, a basic mistake in the form of default login credentials coupled with loose API security revealed the personal information of millions of enthusiastic job applicants.
For users, the most important thing to remember is this: your data is only as secure as the weakest link in the system you're placing it into.
0 Comments