It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!
> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.
I'm sure there are a lot of McDonald's positions out there, but doesn't 64 million job applicants seem like a bit much?
There are only 13,647 locations in the US, so that would be 4,689 applications for each store? Makes you wonder how many of those were actually hired because there may only be 30-50 people per store.
What's it say about a company when they deceptively advertise that they are hiring when they really aren't (because all the positions were filled). Bad acting stuff like this needs cost imposed.
Perhaps I'm being overly cynical, but I'm struggling to see how this qualifies as an IDOR in the strict sense. While using UUIDs might reduce guessability, the real issue here is weak authentication, not insecure direct object references.
OWASP defines an IDOR as "an access control vulnerability that occurs when an application uses user-supplied input to access objects directly… without verifying the user is authorized for the target object" (OWASP Top 10 2021 – A01: Broken Access Control). But in this case, access to highly privileged internal functionality was granted simply by logging in with default credentials, no authorization bypass was needed because authentication was effectively absent.
This aligns more closely with CWE-1390: "Use of Default Credentials" and CWE-306: "Missing Authentication for Critical Function." The attacker was able to log in as a privileged user due to trivial credentials, and the lack of multi-factor authentication (MFA) further compounded the issue. Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant. That makes it clear the real vulnerability lies in the authentication mechanism and not in how object references were structured.
> Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant
Not really? The vulnerability might not have been discovered if that was the case, but it doesn’t change the fact that anyone who has access to the system can gain access to all of the data in the system, right?
19 comments
[ 4.3 ms ] story [ 47.2 ms ] threadAmazing.
I feel like there's more to this that I'd love to know the story behind...
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.
There are only 13,647 locations in the US, so that would be 4,689 applications for each store? Makes you wonder how many of those were actually hired because there may only be 30-50 people per store.
What's it say about a company when they deceptively advertise that they are hiring when they really aren't (because all the positions were filled). Bad acting stuff like this needs cost imposed.
OWASP defines an IDOR as "an access control vulnerability that occurs when an application uses user-supplied input to access objects directly… without verifying the user is authorized for the target object" (OWASP Top 10 2021 – A01: Broken Access Control). But in this case, access to highly privileged internal functionality was granted simply by logging in with default credentials, no authorization bypass was needed because authentication was effectively absent.
This aligns more closely with CWE-1390: "Use of Default Credentials" and CWE-306: "Missing Authentication for Critical Function." The attacker was able to log in as a privileged user due to trivial credentials, and the lack of multi-factor authentication (MFA) further compounded the issue. Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant. That makes it clear the real vulnerability lies in the authentication mechanism and not in how object references were structured.
Not really? The vulnerability might not have been discovered if that was the case, but it doesn’t change the fact that anyone who has access to the system can gain access to all of the data in the system, right?