No one argues that AI The labor market will changeto begin with, it is already very present in the Recruitment processes of personnel McDonald’s franchisees in the US use a chatbot of recruitment based on AI which collects and manages the data of the millions of new candidates who want to work in one of the restaurants in the hamburger chain. However, such and as they publish in Wiredwho configured it forgot something as basic as changing the original password of the administrator of the entire platform.
The selection chatbot. McDonald’s uses a platform called Mchire, developed by Paradox.AI, to manage the Personnel selection process through a chatbot known as Olivia. When a candidate shows interest in a job offer, the chatbot comes into play and requests candidates for personal data, shift preferences and directs them to perform a personality test to process their candidacy. The use of artificial intelligence intended Without human intervention.
However, such and as they counted Ian Carroll and Sam Curry, the researchers who unintentionally discovered the ruling, were two things that caught their attention. The first one was a Reddit thread in which it was ensured that the McDonald’s hiring AI was giving Some funny failures Going crazy to the candidates who tried to leave their job application.
The second thing that led them to investigate a little more about the McDonald’s hiring chatbot was that it seemed very strange that The replacement the curriculums For a personality test. “It seemed quite dystopic compared to a normal hiring process, right? And that was what encouraged me to investigate it more thoroughly,” Carroll said.
The security failure: “123456”. Researchers Ian Carroll and Sam Curry have Much experience in cybersecurityso no one is surprising that they have managed to violate the security of a platform.
However, as they report in their blog, they did not need any of their great technical knowledge to take control of the platform as administrators. They simply accessed the Mchire portal, which is the platform after the chatbot of employee hiring for the McDonald’s franchises, and used the password “123456” in the access and access password fields.
“That allowed us, any other person, access to any entrance tray and recover the personal data of more than 64 million applicants,” said cybersecurity experts. This access not only allowed to see the data of the candidates, but also intervene in the conversations and ongoing selection processes. “It turned out that we had become administrators of a test restaurant within the Mchire system. We could see that all restaurant employees were simply employees of Paradox.AI, the company behind Mchire.”
The data were not exposed. After confirming that it was really a real security vulnerability, the researchers immediately contacted Paradox.AI, which, which He published a statement explaining that “only a small part of the records accessed by the researchers contained personal information” and that “the account ‘123456’ that exposed this data had not been accessed by anyone but the researchers.” In addition, he explained that the compromised credential was a trial account that “had not been used since 2019 and, frankly, should have been deactivated“
McDonald’s responsible for his supplier ensuring that “we are disappointed by this unacceptable vulnerability of an external supplier, Paradox.AI. As soon as we knew the problem, we ordered Paradox.
Paradox.
The without surveillance. The work context makes the data presented especially Attractive for cybercriminalswhich shows the importance of providing additional security layers to Chatbots based on AI They manage such sensitive data.
“If someone had exploited this, Phishing’s risk would have been really huge. It is not just identifiable personal information and curriculum. It is that information from people looking for work in McDonald’s, people who are waiting with anxious Electronic response emails“The researchers said.
Image | Wikimedia Commons (Dirk Tussing)
GIPHY App Key not set. Please check settings