The automation system has become a source of extortion for fast food chains.
A group of security researchers was able to break into the system of a chatbot used by large fast food franchises to automate the hiring process. Researchers were able to accept or reject job applicants, as well as gain access to confidential information about job applicants, franchises themselves, and Chattr, the company that developed the chatbot.
One of the researchers, known as MrBruh, told 404 Media that the access could have been used for blackmail. He pointed out the possibility of destroying the database and demanding money for its restoration. MrBruh was "glad that he was able to prevent this" and informed Chattr about the problem.
MrBruh wrote on his blog that the beginning of the story is related to a script that he created to search for vulnerabilities in Firebase, a platform often used by application developers. The script detected a vulnerable Firebase configuration associated with the KFC network. The researchers used this configuration to access the database, which allowed them to see information including names, phone numbers, email addresses, branch locations, messages, work schedules, and some passwords. The data included franchisee managers, job seekers, and Chattr employees.
Example of the applicant's application form
However, the data leak was not limited to a single KFC database. Chick-fil-A and Subway companies were also mentioned. The researchers found access to an administrative dashboard that listed organizations using Chattr, as well as the ability to accept or reject candidates.
MrBruh reported the Chattr issue on January 9. The next day, Chattr fixed the vulnerability, but, according to MrBruh, did not express gratitude and did not contact the researcher, although he asked for it in his letter. Chattr also did not provide a comment. A KFC representative said that Chattr only works with one KFC franchisee and the company does not have details of this cooperation.
A group of security researchers was able to break into the system of a chatbot used by large fast food franchises to automate the hiring process. Researchers were able to accept or reject job applicants, as well as gain access to confidential information about job applicants, franchises themselves, and Chattr, the company that developed the chatbot.
One of the researchers, known as MrBruh, told 404 Media that the access could have been used for blackmail. He pointed out the possibility of destroying the database and demanding money for its restoration. MrBruh was "glad that he was able to prevent this" and informed Chattr about the problem.
MrBruh wrote on his blog that the beginning of the story is related to a script that he created to search for vulnerabilities in Firebase, a platform often used by application developers. The script detected a vulnerable Firebase configuration associated with the KFC network. The researchers used this configuration to access the database, which allowed them to see information including names, phone numbers, email addresses, branch locations, messages, work schedules, and some passwords. The data included franchisee managers, job seekers, and Chattr employees.
Example of the applicant's application form
However, the data leak was not limited to a single KFC database. Chick-fil-A and Subway companies were also mentioned. The researchers found access to an administrative dashboard that listed organizations using Chattr, as well as the ability to accept or reject candidates.
MrBruh reported the Chattr issue on January 9. The next day, Chattr fixed the vulnerability, but, according to MrBruh, did not express gratitude and did not contact the researcher, although he asked for it in his letter. Chattr also did not provide a comment. A KFC representative said that Chattr only works with one KFC franchisee and the company does not have details of this cooperation.
