McDonald's has outsourced the initial stages of its hiring process to an AI chatbot which seems to have been built without proper security measures. Security researchers managed to extract personal information about McDonald's job applicants by simply guessing a username and the password “12345.” In doing this, the researchers could have potentially gained access to the information of 64 million applicants. According to Wired, 90% of all McDonald's franchisees use McHire to get information from their applicants and send them to a personality test. Annoyingly, the McHire chatbot has been a thorn in the side of many aspiring McDonald's employee because of its inability to understand or answer any questions that fall outside of its script. That’s an aspect that many chatbots have in common, unfortunately. But spilling the McBeans about everyone that ever applied should not be on the menu. What the researchers did to test the security was create a fake application of their own and have a look at the McHire administration interface for restaurant owners. The application procedure did not yield any results when the researchers tried to prompt inject the chatbot. Attackers use prompt injection to feed chatbots or AI systems sneaky messages disguised as normal questions or instructions. These messages trick the AI into ignoring its usual rules and doing things it shouldn’t. However, this tactic failed here because the researchers got stuck at the point where a real person would…Read More