Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications

49•samwcurry•5h ago

Comments

bravesoul2•3h ago

It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.

oc1•3h ago

I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.

ryandrake•1h ago

I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?

lmz•1h ago

It's config not code - and a demo interface is a nice thing to have. The cross account read, however...

Marsymars•21m ago

”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”

NooneAtAll3•6m ago

> How does this kind of configuration even make it past code review

that's the secret - there is none

TZubiri•2h ago

It certainly doesn't reflect well on AI as a BuzzWord.

Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.

Additionally, are we certain the vendor didn't use AI to vibecode stuff?

Proofread0592•3h ago

I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.

shrubble•3h ago

Reminds me that I need to change the combination on my luggage…

jeffbee•49m ago

In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.

Most people are not qualified to handle computer security, is what I learned from that.

david2ndaccount•2h ago

> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!

Amazing.

eth0ws•22m ago

Having a security.txt would be best, but they've updated the page to include a security email address which is a start.

snypher•1h ago

>Without much thought, we entered “123456” as the username and “123456” as the password

I feel like there's more to this that I'd love to know the story behind...

gruez•1h ago

Maybe they ran a simple wordlist attack and wanted to launder the methods they used?

ryandrake•1h ago

> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.

Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.

veggieroll•1h ago

For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.

reactordev•1h ago

While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.

bee_rider•1h ago

Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.

msgodel•29m ago

Is it simple to guess? I always assumed if you went too hard with those answers they'd assume you were lying and reject you.

Maybe this is why I never got the mcdonalds call back last time I was layed off.

HPsquared•21m ago

Overtime can be enjoyable if you get paid overtime rates.

Titan2189•1h ago

Hats off to Paradox for remediating this within 30 hours of reporting.

The case for building operator interfaces before AI agents

USB-C Scented Cables: Lychee, Strawberry, Apple

Show HN: ColorConJ – Explore Spanish color names by letter

Eval AI jobs new market for Mercor

In search of more efficient learning algorithms, researchers look to infants

HIV-1 latency reversal via ectopic expression of a viral antisense transcript

Our Missing Pieces

Claude Code OAuth Authentication Fails - "OAuth account information not found

CatchIdeas – Find High-Traffic Keywords for Product and Content Ideas

Fact Sheet: Autism Prevalence

No Tax on Overtime Calculator

V0 Platform API now in beta

Research suggests electricity markets are using suboptimal pricing

Thoughts on Motivation and My 40-Year Career

Learning in living mice defies classic synaptic plasticity rule

Doctest is a new C++ testing framework

Most people who buy your game won't play it

The #1 Reason Your GenAI Project Will Fail in Production

Andreessen Horowitz Leaves Delaware for Nevada, Tells Startups to Follow

Concorde – The 24 Hour World (1973) [video]

Bug report forms powered by AI – No more duplicates, spam or lackluster reports

A warning to sword-makers, and sword buyers

Firnas: AI Native Travel for Business

Nvidia Became the First $4T Company

PoPo: MMD Anime Char Model Pose Generation Using Fine Tuned LLM

Army tests robotic coyotes to defend fighter jets from wildlife

Music for Heathrow

AI Can't Take over Soon Enough for Me

Using Protobuf to make Jira Cloud faster

Dépanneurs