Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications

Summary

IntroductionMcHire is the chatbot recruitment platform used by 90% of McDonald’s franchisees. Prospective employees chat with a bot named Olivia, created by a company called Paradox.ai, that collects their personal information, shift preferences, and administers personality tests. We noticed this after seeing complaints on Reddit of the bot responding with nonsensical answers.During a cursory security review of a few hours, we identified two serious issues: the McHire administration interface for restaurant owners accepted the default credentials 123456:123456, and an insecure direct object reference (IDOR) on an internal API allowed us to access any contacts and chats we wanted. Together they allowed us and anyone else with a McHire account and access to any inbox to retrieve the personal data of more than 64 million applicants.Applying for a jobWe started by applying for a job at our local McDonald’s. McHire has a consumer-facing site at https://jobs.mchire.com/ where it is easy to find available postings near you. We were immediately sent to Olivia, who helped us fill in our email and phone number along with what shifts we can work, and we were instantly moved to the next stage: the personality test!McHire personality testThe personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.Unfortunately, after this, we were stuck without any further progress and appeared to be awaiting human review. We tried to prompt inject the Olivia chatbot, which likely ruined our chance at a human approving us, but it seemed to be locked to a list of pre-set responses or something similar, and there were no interesting APIs for the candidates.Logging inWe noticed that restaurant owners can login to view ap...