Particle.news

Download on the App Store

McDonald’s Secures AI Hiring Chatbot After 64 Million Applications Exposed

Paradox.ai has launched a bug bounty program to strengthen its hiring chatbot’s security.

Overview

  • On June 30, researchers Ian Carroll and Sam Curry reported that the McHire admin interface used default credentials “123456:123456” and contained an insecure direct object reference flaw.
  • The vulnerability allowed enumeration of lead_id values to retrieve full chat transcripts, session tokens and personal data from over 64 million job applications.
  • Paradox.ai patched the IDOR flaw and disabled the weak default credentials on the same day the issues were disclosed.
  • On July 9, Paradox.ai launched a bug bounty program and commenced a comprehensive systems review to guard against similar vulnerabilities.
  • McDonald’s now requires stricter third-party vendor security controls and regular audits for its AI-driven hiring platforms.