Get ready. We’re going to see a lot more of this.
Security researchers discovered that McDonald’s AI hiring chatbot “Olivia” (built by Paradox.ai and hosted on McHire.com) had gaping security flaws. They gained full admin access in under 30 minutes by guessing the credentials — username: admin and password: 123456, and not multifactor authentication in sight.
Once inside, they exploited an insecure object reference in the backend API to access chat logs and personal data from up to 64 million applicants, including names, emails, phone numbers, addresses, and more. Since these were researchers and not criminals, only a small subset was viewed (seven records, five with PII). However, the sheer scale and nature of the data pose massive risks like targeted phishing, fraud, and privacy woes for job-seekers.
Give credit where it’s due; the vulnerability was patched within two days, and both Paradox.ai and McDonald’s emphasized swift remediation. Paradox.ai has launched a bug bounty program in response to the issue.
However, this is no minor misfire; it should be seen as a wake-up call for those wanting to jump on the AI freight train. Basic security hygiene was overlooked here: default credentials, no MFA, and no decommissioning of stale development accounts.
If we’re going to bolt-on or build with AI, security can’t be an afterthought.
Original Article: https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai
./dg