Ian attempted common login credentials, first trying “admin” for both username and password, then “123456”. The second attempt succeeded, granting administrator access to a test McDonald’s restaurant on McHire without multifactor authentication.
“So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years,” he said.
Paradox.ai confirms test account compromise dating back to 2019
Paradox.ai stated in a blog post that the compromised test account “had not been logged into since 2019 and frankly, should have been decommissioned.” It also confirmed the account “was not accessed by any third party” other than the security researchers.
Once inside the system, Ian and Sam discovered a second vulnerability. They found they could manipulate applicant ID numbers to view other candidates’ chat logs and contact information. The researchers accessed seven records in total, with five containing personal information of people who had interacted with the McHire site.
