Fast food chain McDonald’s recently suffered a security breach, exposing personal data of over 60 million job applicants. The breach occurred on its hiring portal “McHire”, more specifically through the portal’s chatbot Olivia.
The hiring portal uses the Olivia chatbot to gather details of applicants, such as their resumes, along with personal details. After gathering the details, the chatbot directed the applicants to a ‘personality test’.
The bot was managed by third-party US-based AI company Paradox.ai. According to a report in Wired, independent security researchers Ian Carroll and Sam Curry revealed in a blog post that they had found a simple way to break into the backend of the McHire AI platform.
Following complaints from Reddit users about the bot’s nonsensical responses, the researchers tested it for ‘prompt injection’ vulnerabilities that could have allowed hackers to bypass its safeguards by inputting certain commands. Prompt injection vulnerabilities are a type of attack that allows hackers to manipulate large language models, or LLMs, through certain prompts that would cause them to leak sensitive information.
When the researchers could not spot project injection vulnerabilities, they attempted to sign up as a McDonald’s franchisee on McHire to access its backend. After discovering the login page for “Paradox team members” on the McHire portal, they entered 123456 as both the username and password. They were promptly logged in without any multifactor authentication tests. From there, they were able to view unmasked personal data of every user that has ever talked to Olivia to apply for a job at McDonald’s.
Carroll told Wired how one of the reasons he was able to find the security breach was due to being intrigued by the presence of a “personality test” in the hiring process.
“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more. So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years,” Carroll told the publication.
Story continues below this ad
After being notified of the breach by the researchers, Paradox.ai, the third-party company handling the Olivia chatbot, released a blog post about the issue, where they confirmed that the vulnerability has been addressed by the company. The account Carroll and Curry logged into was a test account that had been missed during Paradox.ai’s security checks but has been taken down after being flagged by the duo. The company also claimed that the only third parties to access the account had been Carroll and Curry.
McDonald’s was also notified by the security researchers, who subsequently blamed Paradox.ai for the breach.
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us. We take our commitment to cybersecurity seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection,” the fast food company told the publication.
As per Carroll and Curry’s blog post, the issue was disclosed confidentially to Paradox.ai and McDonald’s simultaneously, and it was resolved.
Story continues below this ad
(This article has been curated by Purv Ashar, who is an intern with The Indian Express)
