In the United States, fast food franchise McDonald’s uses a chat bot called McHire to take the details of anyone looking to work at their nearby restaurants, taking personal details, and quickly sending them to nearby stores looking for workers.
Recently, two security researchers, Ian Carroll and Sam Curry, have discovered several security issues with the chat bot, which was developed by AI services development company Paradox.ai. The login page for the chat bot was easily found, but while the login for McDonald’s restaurant owners uses a Secure Sign On (SSO) system, there is also a login page for Paradox.ai staff that does not require such authentication.
First, they found that the password used to access the McHire system is not secure at all. The Paradox.ai developers were seen using the username and password “123456”. Interestingly, although they were able to access the bot’s backend system, the data it contained was data for a fake restaurant, which contained details of Paradox.ai employees that were seen as fake.
What's interesting here is that they discovered that the chat bot used an API call to retrieve the user ID to display previous conversations. Ian and Sam used this API to use the IDOR (insecure direct object reference) technique to retrieve data from other IDs, and found that they could see other user details, including:
Name, email address, phone number, home address
Work location, and desired shift
Auth token that allows the "hacker" to log into the user's account, and access the details of the conversation with the bot
This security vulnerability has been reported to Paradox.ai, and was reportedly fixed just a day after they became aware of the issue.