Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

McHire is a chatbot recruitment platform used by most of McDonald's franchisees. Employees chat with a bot named Olivia to collect information, conduct personality tests and more that is owned by Paradox.

While going through the interview process, they got some disturbing pro-company questions but didn't see anything interesting. Of note, it seemed like Olivia had a solid set of predefined inputs and wouldn't use anything else.

On the signin page, they noticed a small icon for Paradox Team Members. They tried the username and password combination of 123456-123456 and this logged them in as an admin on a test restaurant. Crazy but no real impact.

Doing authorization without authentication is super error-prone; think of how people can check in for a flight on an airline without ever creating an account, as an example. Sam and Ian attempted to apply for a job when they noticed the API PUT /api/lead/cem-xhr that fetched data. This was likely proxying information to a Candidate Experience Manager (CEM) via an XHR request. This contained a lead_id parameter.

They simply tried decrementing the ID and got another applicant's data. This contained previous chat conversations, names, emails, addresses, and phone numbers. etc. Probably the craziest of all, an Auth token for the consumer UI was also sent back, allowing you to effectively become the user.

With no bug bounty contact they reached out to people at Paradox.ai and they prompted remediated the vulnerabilty. Sam does a lot of great research on things without bug bounty programs. Although security is getting better in some places, it's clearly getting worse in others.