Ethical Hacking News
McDonald's McHire chatbot recruitment platform exposed personal data of over 64 million job applicants due to insecure internal APIs. The incident highlights the importance of robust data protection measures in online systems, particularly those involving user interaction and sensitive information.
64 million job applicants' personal info exposed due to McHire chatbot vulnerability. Security researchers Ian Carroll and Sam Curry identified multiple flaws in the chatbot's internal APIs. Default credentials "123456" allowed researchers to gain admin access to test account. Insecure direct object reference (IDOR) enabled access to sensitive contacts and chats. RResearchers discovered hidden API that could access chat data with slight modification of request. API allowed access to every chat interaction, including history and auth tokens. McDonald's and Paradox.ai worked together to resolve issues and enhance security measures.
On July 12, 2025, a security breach was revealed that exposed the personal information of over 64 million job applicants who had applied for positions through McDonald's McHire chatbot recruitment platform. The vulnerability was discovered by Ian Carroll and Sam Curry, two security researchers who identified multiple flaws in the chatbot's internal APIs.
The McHire chatbot, built by Paradox.ai, was found to have a test account with username and password both set to "123456." This allowed the researchers to gain admin access to a test "restaurant" and view sensitive information from millions of applicants. Moreover, they discovered that the system had an insecure direct object reference (IDOR) on an internal API, which enabled them to access any contacts and chats they wanted.
The researchers tested McDonald's McHire job app by applying for a job, interacting with its chatbot "Olivia," and taking a personality test powered by Traitify. They found that the system stalled pending human review but were able to explore the login page for McHire admins and gain admin access using default credentials.
Without much thought, the researchers entered "123456" as the username and "123456" as the password and were surprised to see they were immediately logged in. Further analysis revealed that there was a hidden API that allowed them to access chat data by slightly changing a number in the request (the lead_id).
The researchers quickly realized that this API allowed them to access every chat interaction that had ever been applied for at McDonald's. They could even access chat history and auth tokens to impersonate applicants, potentially exposing sensitive information from millions of job seekers.
In response to the discovery, Paradox.ai and McDonald's confirmed receipt of the report and worked together to resolve the issues. The company announced security enhancements to protect its users' data.
The incident highlights the importance of robust data protection measures in online systems, particularly those involving user interaction and sensitive information. It serves as a reminder to organizations that lax security protocols can have severe consequences, affecting not only their reputation but also the personal data of millions of individuals.
In recent years, there has been an increasing focus on data protection and cybersecurity. The rise of digital technologies has created new vulnerabilities that must be addressed through robust security measures. This incident demonstrates the need for organizations to prioritize data protection and invest in secure systems that can safeguard sensitive information.
As technology continues to evolve, it is essential for companies like McDonald's to stay ahead of emerging threats and adopt proactive security strategies. The McHire chatbot security breach serves as a warning to organizations to ensure their systems are secure and compliant with data protection regulations.
In conclusion, the McDonald's chatbot security breach highlights the importance of robust data protection measures in online systems. It emphasizes the need for organizations to prioritize cybersecurity and invest in secure systems that can safeguard sensitive information. As technology continues to evolve, it is crucial for companies like McDonald's to stay ahead of emerging threats and adopt proactive security strategies.
Related Information:
https://www.ethicalhackingnews.com/articles/McDonalds-Chatbot-Security-Breach-A-Cautionary-Tale-of-Inadequate-Data-Protection-ehn.shtml
https://securityaffairs.com/179840/hacking/mcdonalds-job-app-exposes-data-of-64-million-applicants.html
Published: Sat Jul 12 12:52:25 2025 by llama3.2 3B Q4_K_M
