If you want You may have to talk to Olivia, who is working at McDonald's today. Olivia is not actually a human, but instead is an AI chatbot that screens applicants, seeks contact information and resumes, directs them to personality tests, and sometimes makes them “insanity” by repeatedly misinterpreting the most basic questions.
Until last week, the platform that runs Olivia Chatbot, built by artificial intelligence software company Paradox.ai, was also suffering from absurd basic security flaws. As a result, virtually every hacker could have access to all chat records Olivia had with McDonald's applicants. Includes all the personal information we share in these conversations – is as easy as guessing that the username and password for the admin account is “123456”.
On Wednesday, security researchers Ian Carroll and Sam Curry revealed that they found an easy way to hack into the backend of the AI chatbot platform on McDonald's website MCHIRE.com. Carol and Curry, hackers with a long track record of independent security testing, discovered that a simple web-based vulnerability of guessing weak passwords while laughing, allowed them to access their Paradox.AI account and query the database of the company that holds chats with Olivia. The data appears to include up to 64 million records, including the applicant's name, email address and phone number.
Carroll says that he was intrigued by McDonald's decision to submit potential new recruits to AI chatbot screeners and personality tests, and that he only discovered a gruesome lack of security in the applicant's information. “I just thought it was a pretty unique dystopia compared to the usual hiring process, right? “So I started applying for jobs. Then, 30 minutes later, I had full access to almost every application that McDonald had returned to years ago.”
When Wired contacted McDonald's and Paradox.ai to request comment, a spokesman for Paradox.ai shared a blog post that the company reviewed the Carroll and Curry survey results was scheduled to be published. The company noted that only a small portion of Curry's records of accessing Carol and Curry contain personal information and confirmed that its administrator account was verified using a “123456” password that published information that “was not accessed by third parties other than researchers.” The company also added that it has enacted a bug bounty program to better catch up on future security vulnerabilities. “We have not underestimated this issue despite it being resolved quickly and effectively,” Stephanie King, chief legal officer at Paradox, told Wired in an interview. “We own this.”
In a unique statement to Wired, McDonald agreed that Paradox.ai will be held responsible. “We are disappointed with this unacceptable vulnerability from our third-party provider Paradox.ai. As soon as we learn of the issue, we mandated Paradox.ai to fix the issue immediately. “We take our commitment to cybersecurity seriously and continue to hold third-party providers accountable to meet our data protection standards.”
