Most people are not qualified to handle computer security, is what I learned from that.
I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.
Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.
It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.
Amazing.
I feel like there's more to this that I'd love to know the story behind...
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.
Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.
Probably not the actual answer, but it’s worth considering such indirect motivations.
If one were to do that, you would be imposing costs to the point where demand drops to 0, and supply in the near term would follow that to 0.
From there you have a short march to economic collapse.
Various interests try to get other people to behave in specific ways, but what actually happens isn’t necessarily as clean as often described.
When it came close to being tested, a legal playbook was provided for crushing unions, negating their intended benefit. This playbook was provided by none other than President Regan, with the 1981 PATCO strike.
The government took the side of the companies because they required the services to continue, and so any strike that exceeds a certain point has this bulldozer held in reserve; allowing the companies involved to not negotiate in good faith. The playbook has been used multiple times since to crush union power.
I mean, lol, yes?
I can’t really understand the mindset that gets really on-mission for that sort of thing, like somebody has a life goal of selling clothes or renting videos out.
Maybe this is why I never got the mcdonalds call back last time I was layed off.
Maybe people with higher levels of intelligence don't last as long until they get a better job, but I think they're pretty valuable for the time they are there. I think that most entry-level stores are shortsighted for ignoring those applicants.
Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.
Once you understand that, many behaviors make a lot of sense.
The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.
Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.
Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.
Corporate Stakhanovism. It's funny how very large employers can end up with a culture which replicates some of the pathologies of Soviet life.
I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".
McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.
It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?
I may be an old man yelling at the clouds here, but I just wish "Maybe the fact that they're trying to be so big that problems like this become inevitable" were rhetorically explored more.
There are only 13,647 locations in the US, so that would be 4,689 applications for each store? Makes you wonder how many of those were actually hired because there may only be 30-50 people per store.
What's it say about a company when they deceptively advertise that they are hiring when they really aren't (because all the positions were filled). Bad acting stuff like this needs cost imposed.
Then how often does the typical McDonald's have a vacancy? These are not good jobs that would cause low turnover, especially once you get into touristy markets where demand is very seasonal. Let's say 10 openings per store per year.
Finally when your applicant pool is basically "every college student, unqualified adult, and even some teenagers", 200-300 applications per opening seems entirely plausible. Low even, from the times I've seen the entry level hiring process close up.
Of course, the thing that confuses people with application numbers like this is they assume that there's no overlap. The same people generally apply to all the jobs in an area so the local McDonalds getting a few thousand applications a year might only be a few hundred unemployed people.
OWASP defines an IDOR as "an access control vulnerability that occurs when an application uses user-supplied input to access objects directly… without verifying the user is authorized for the target object" (OWASP Top 10 2021 – A01: Broken Access Control). But in this case, access to highly privileged internal functionality was granted simply by logging in with default credentials, no authorization bypass was needed because authentication was effectively absent.
This aligns more closely with CWE-1390: "Use of Default Credentials" and CWE-306: "Missing Authentication for Critical Function." The attacker was able to log in as a privileged user due to trivial credentials, and the lack of multi-factor authentication (MFA) further compounded the issue. Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant. That makes it clear the real vulnerability lies in the authentication mechanism and not in how object references were structured.
Not really? The vulnerability might not have been discovered if that was the case, but it doesn’t change the fact that anyone who has access to the system can gain access to all of the data in the system, right?
The report didn't make it clear to me if an unauthorised user, or an account with low privilege can still access data they otherwise should not have access to.
If this is true, then I agree it is an IDOR, but I read it as they had access because of their current context.
I don’t think you would expect the administrator of a single restaurant to have access to the data of all 64M applicants globally
bravesoul2•7mo ago
oc1•7mo ago
ryandrake•7mo ago
lmz•7mo ago
Marsymars•7mo ago
NooneAtAll3•7mo ago
that's the secret - there is none
viraptor•7mo ago
joules77•7mo ago
You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.
But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.
What is corporate robot going to do?
They will hand you the data.
TZubiri•7mo ago
Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.
Additionally, are we certain the vendor didn't use AI to vibecode stuff?