AI Hiring Bot at McDonalds Exposes Millions of Applicant Records Due to Security Flaw

Cybersecurity experts Ian Carroll and Sam Curry reported that they discovered straightforward methods to breach the backend of the AI chatbot platform on McHire.com, which is utilized by McDonald’s to manage job applications. As a result, they accessed the information of millions of applicants.

To apply for a position at McDonald’s, candidates interact with a chatbot named «Olivia.» This bot screens applicants, requests their contact details and resumes, and directs them to a personality test.

Until last week, the platform powered by «Olivia,» developed by Paradox.ai, had serious security vulnerabilities. Consequently, virtually any hacker could access the records of all interactions the AI bot had with job applicants. The administrative interface for restaurant owners accepted the default login credentials of «123456.» Additionally, the internal API was susceptible to IDOR (Insecure Direct Object Reference) vulnerabilities, allowing unauthorized access to any chats and contacts.

The researchers went through the application process on the McHire website. Carroll and Curry found that basic web vulnerabilities, including brute-forcing a weak password, enabled them to gain access to the Paradox.ai account and make requests to the company’s databases, which stored all user chats with «Olivia.» They simply needed to alter the identifiers.

The data retrieved included approximately 64 million records, consisting of names, email addresses, and phone numbers of candidates.

Carroll noted, “I started looking for a job, and within 30 minutes, we had full access to nearly all applications ever submitted to McDonald’s in recent years.”

Paradox.ai confirmed the findings of the security assessment. The company stated that only these researchers accessed the account with the weak password. To prevent similar incidents in the future, Paradox has launched a bug bounty program.

McDonald’s acknowledged that the responsibility lies with Paradox.ai. «We are disappointed by this unacceptable vulnerability caused by a third-party service provider, Paradox.ai. Once we became aware of the issue, we instructed Paradox.ai to resolve it immediately, and it was addressed the same day,” read their statement.

Earlier surveys indicated that 76% of organizations that hired employees in the past year use assessments to determine candidates’ suitability. This trend aligns with many applicants using artificial intelligence to prepare their resumes. As a result, companies are increasingly using cognitive and personality tests to filter candidates and better understand their actual abilities.

Meanwhile, researchers from Erasmus University’s Rotterdam School of Managementdiscovered that companies’ use of artificial intelligence in hiring can influence candidates’ behavior, leading to biased selection outcomes. Experiments showed that applicants tend to «please» the AI by emphasizing their analytical skills while downplaying their emotional intelligence.