No, 123456 is not a safe password. On the contrary, even: it is one of those passwords particularly easy to find for computer pirates who seek to access confidential information. This is what happened with the recruitment AI that McDonalds uses to classify the applications of those who want to work in their restaurants.
Called Olivia, this chatbot requires several contact information, as well as the CV, before bringing candidates a personality test. But when the researchers tried to discover a little more about the methodology used, not only Olivia began not to understand anything in applications, but it was also particularly easy to access their backstage.
A simple password for an administration account
Ian Carroll and Sam Curry, ethical hackers, have revealed a method that made it possible to enter the mode of administration of the Mchire platform and, therefore, recover data from 64 million candidates, including email, full name and telephone number.
Just thirty minutes after starting the process, he had broad access to site data through a test account.
The computer pirates were considered very considered as administrators of Paradox.AI, which manages Olivia, thanks to a very simple password: 123456. They then had access to a link that allowed them to access all the candidates. When looking for more, Ian Carrol and Sam Curry discovered the magnitude of the fault, with more than 64 million identification numbers and, therefore, possible candidates.
An “unacceptable” defect for McDonald’s
If in case of exploitation of these data, a large -scale phishing campaign could have emerged, the two computer pirates specify that the data were not so sensitive. However, they could have access to exchanges with candidates, in a company that hires at least per hour in the United States, and where to work there is little brilliant, connected notes.
Paradox.AI published an article on his blog, confirming the intrusion, but also the password used in the account. However, his research made it possible to establish that no third party, I was the computer pirates who identified the defect, accessed the data.
McDonald’s was content to blame his partner: “We are very disappointed with this unacceptable vulnerability by a companion of a third party, Paradox.
Note that this failure does not concern recruitment in France -Mcdonald’s does not use Olivia and Paradox.AI in France.
Source: BFM TV
