Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications
50 comments
·July 9, 2025ryandrake
jofer
Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.
The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.
Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.
Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.
idiotsecant
Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.
bee_rider
Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.
sgerenser
What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).
Waterluvian
Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.
Retric
It doesn’t necessarily need to be beneficial for the company.
Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.
Probably not the actual answer, but it’s worth considering such indirect motivations.
cebert
This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?
Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.
veggieroll
For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.
reactordev
While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.
HPsquared
Overtime can be enjoyable if you get paid overtime rates.
saghm
Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.
idiotsecant
It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.
null
david2ndaccount
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!
Amazing.
eth0ws
Having a security.txt would be best, but they've updated the page to include a security email address which is a start.
jonas21
One might even say paradoxical.
Proofread0592
I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.
shrubble
Reminds me that I need to change the combination on my luggage…
null
jeffbee
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.
Most people are not qualified to handle computer security, is what I learned from that.
chasil
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.
I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.
Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.
It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.
bravesoul2
It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
oc1
I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.
ryandrake
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
joules77
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"
You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.
But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.
What is corporate robot going to do?
They will hand you the data.
viraptor
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
NooneAtAll3
> How does this kind of configuration even make it past code review
that's the secret - there is none
lmz
It's config not code - and a demo interface is a nice thing to have. The cross account read, however...
Marsymars
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”
TZubiri
It certainly doesn't reflect well on AI as a BuzzWord.
Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.
Additionally, are we certain the vendor didn't use AI to vibecode stuff?
ge96
Funny I remember trying to get a job at McD's before and had to answer those behavioral questions kill 1 or 5
Titan2189
Hats off to Paradox for remediating this within 30 hours of reporting.
RandomBacon
Hopefully it shouldn't take longer than 30 hours to change a password.
snypher
>Without much thought, we entered “123456” as the username and “123456” as the password
I feel like there's more to this that I'd love to know the story behind...
gruez
Maybe they ran a simple wordlist attack and wanted to launder the methods they used?
bombcar
It’s kind of sad and yet expected that McDonald’s responds. Wyeth to security vulnerabilities than many Internet companies do.
slipperybeluga
[dead]
Y_Y
[flagged]
quantified
They're on a test menu. Sometimes you see it, sometimes you don't.
heavyset_go
It was on my desk but it disappeared because it doesn't exist. Besides, it's weird that you're still talking about this Epstein guy when things like Texas happened.
lesuorac
It's unfortunate the administration can only focus on one thing and can't handle Texas and Epstein at the same time.
> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.