72
McDonald’s Chatbot Recruitment Platform Exposed 64 Million Job Applications
(www.securityweek.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Jul 2025
72 points (100.0% liked)
news
24173 readers
620 users here now
Welcome to c/news! Please read the Hexbear Code of Conduct and remember... we're all comrades here.
Rules:
-- PLEASE KEEP POST TITLES INFORMATIVE --
-- Overly editorialized titles, particularly if they link to opinion pieces, may get your post removed. --
-- All posts must include a link to their source. Screenshots are fine IF you include the link in the post body. --
-- If you are citing a twitter post as news please include not just the twitter.com in your links but also nitter.net (or another Nitter instance). There is also a Firefox extension that can redirect Twitter links to a Nitter instance: https://addons.mozilla.org/en-US/firefox/addon/libredirect/ or archive them as you would any other reactionary source using e.g. https://archive.today/ . Twitter screenshots still need to be sourced or they will be removed --
-- Mass tagging comm moderators across multiple posts like a broken markov chain bot will result in a comm ban--
-- Repeated consecutive posting of reactionary sources, fake news, misleading / outdated news, false alarms over ghoul deaths, and/or shitposts will result in a comm ban.--
-- Neglecting to use content warnings or NSFW when dealing with disturbing content will be removed until in compliance. Users who are consecutively reported due to failing to use content warnings or NSFW tags when commenting on or posting disturbing content will result in the user being banned. --
-- Using April 1st as an excuse to post fake headlines, like the resurrection of Kissinger while he is still fortunately dead, will result in the poster being thrown in the gamer gulag and be sentenced to play and beat trashy mobile games like 'Raid: Shadow Legends' in order to be rehabilitated back into general society. --
founded 5 years ago
MODERATORS
I don't know much about networking like this but wouldn't you keep sensitive information like job applicant data in different, secure part of the network from the AI chatbots so they don't have access to it?
Only if you want to devote resources and spend money to do things in a secure and correct manner
This is super common. They are securing the thing that sends you the endpoint for the record, but not the API for getting the records themselves.
It's kinda like saying "hey, the key to your room is in the box labeled 10" so you go to that box and grab your key. But you notice that there are boxes on the left and right of box 10, and those boxes contain the keys to other rooms.
No one ever told you that boxes 9 and 11 exist (the modicum of "security" the API provided), but all it takes to find them is knowing that you have a box and there was probably someone who got a box before you and after you.
It means they're just incrementing the id by one for each record, you could get a little bit better using a GUID that isn't sequential, but really you should only allow access to that record if someone has a valid credential.
In this specific situation it seems that they did have auth, but they left the testing store accessible with default admin passwords (123456) and that testing admin could then be used to access literally everything else.
The chatbot didn't have that access, it was an API endpoint that would let you enter sequential user IDs to get full authentication as any user.