While McDonald’s is making headlines for the return of its popular Snack Wrap, researchers have revealed a serious data security issue involving the company’s job application platform. McHire, the chatbot-driven system used by the majority of McDonald’s franchise locations, reportedly exposed the personal information of more than 64 million applicants.
The McHire platform is powered by a company called Paradox.ai. It features a chatbot named Olivia that guides prospective employees through the job application process. Applicants are asked to enter personal information, choose their preferred work shifts, and complete a personality test. According to the researchers, concerns about the bot’s behavior first surfaced on Reddit, where users described receiving strange or unhelpful replies.
The researchers began by applying for a job at a local McDonald’s location using the public-facing McHire website. After completing the basic intake process, they turned their attention to the platform’s administration portal. They discovered a login page intended for internal users and attempted to log in using basic placeholder credentials.
To their surprise, entering the username and password “123456” granted full access to a test restaurant account. Once inside, they could view the system’s backend, including employee records and hiring activity related to test job postings.
The real issue came to light when the team began examining the web application’s API traffic. They discovered that by changing a single number in an API request, they could view other applicants’ data. There was no access control to prevent unauthorized requests. This type of vulnerability is known as an insecure direct object reference, or IDOR.
Using this flaw, the researchers were able to access records from millions of applicants. The exposed data included names, email addresses, phone numbers, home addresses, job preferences, and detailed logs of each user’s chat with the hiring system. Even worse, the responses included authentication tokens that allowed full access to an applicant’s account through the consumer interface.
Once the scope of the issue became clear, the researchers attempted to report it. However, Paradox.ai did not have a dedicated security contact listed. The researchers ended up emailing multiple employees directly until someone responded. The vulnerable credentials were disabled the same day, and the insecure API was secured soon after.
Paradox.ai later confirmed that the issue had been addressed and said it was committed to reviewing the platform to identify and eliminate any remaining weaknesses. McDonald’s acknowledged the report and worked with the vendor to implement a fix.
It remains unclear how long the vulnerability existed or whether anyone else discovered it before the disclosure. What is clear is that tens of millions of job seekers had their private information exposed due to basic security failures that should have been caught during development.
For what it’s worth, I just had the new Snack Wrap for lunch. While it’s decent, it just doesn’t match the quality of the original from the good ol days. The chicken feels cheaper and less satisfying. Unfortunately, so does the security posture behind the digital system now trusted with millions of people’s personal data.
