A critical vulnerability in McHire, McDonald’s chatbot-based job application platform, exposed the personal data and chat transcripts of over 64 million U.S. job applicants.
The flaw was uncovered by cybersecurity researchers Ian Carroll and Sam Curry, who discovered that McHire’s admin panel was protected by weak credentials — both the username and password were simply “123456”. Once inside, they found a serious IDOR (Insecure Direct Object Reference) vulnerability in the backend API.
McHire, powered by Paradox.ai, is used by nearly 90% of McDonald’s franchisees. It processes job applications via a chatbot named Olivia, collecting applicants’ names, emails, phone numbers, addresses, availability, and personality test results.
By tweaking the lead_id parameter in a request to /api/lead/cem-xhr, the researchers could access chat logs and sensitive data from other users, without any access controls in place.
“Together, the default admin credentials and the IDOR flaw allowed us to retrieve the personal data of more than 64 million applicants,” Carroll wrote in a detailed report.
The issue was reported to Paradox.ai and McDonald’s on June 30 and was fixed the same day. McDonald’s said in a statement:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai… It was resolved immediately after reporting.”
Paradox.ai confirmed it has mitigated the flaw and is now reviewing its systems to prevent future issues.
