McHire is McDonald's AI hiring app. The private data of 64 million applicants was exposed because the admin login password was "123456," which provided access to the AI chatbot's logs.
Carroll writes that security researchers Ian Carroll and Sam Curry discovered the problem in June. They were attracted to McHire by its nonsensical answers to questions and other indicators of humans being replaced as cheaply and as quickly as possible.
The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like "enjoys overtime" are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.
Unfortunately, after this, we were stuck without any further progress and appeared to be awaiting human review. We tried to prompt inject the Olivia chatbot, which likely ruined our chance at a human approving us, but it seemed to be locked to a list of pre-set responses or something similar, and there were no interesting APIs for the candidates.
We noticed that restaurant owners can login to view applicants at https://www.mchire.com/signin. Although the app tries to force SSO for McDonald's, there is a smaller link for "Paradox team members" that caught our eye.Without much thought, we entered "123456" as the username and "123456" as the password and were surprised to see we were immediately logged in!
Hiring is already a dystopian mess, with applicants and platforms in an AI-driven arms race where corporations mechanically reject job seekers and job seekers avoid the rejection triggers.
The company McDonald's hired to build this liability palace for them is a typical fly-by-night AI cash fire, right down to the mandatory AI startup anus logo.
We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!
There isn't even a curtain to peek behind! Just hot shit spreading like lava over the attack surfaces of capital.
