Vulnerable credentials, API found at an AI company

Security researchers find a firm that allowed 123456 as a password, along with a weak API that could have lead to the leaking of sensitive info on McDonald's job applicants

There’s been another Ooopsy moment in password security for a company. The company is Paradox.ai, a cloud-based service that markets a conversational artificial intelligence chatbot to help firms automate the hiring of employees. The company says its service is used by than 500 companies around the world, who can create a hiring site job applicants can use to enter personal information.

The problem: Each Paradox.ai customer with a recruiting site can also create a test account. And that account didn’t necessarily need a strong username and password. As security researchers Ian Carroll and Sam Curry revealed in a blog this week, they discovered the test account for McDonald’s had an easily-guessed username and password — 123456 and 123456.

OK, accessing a test account isn’t serious, right? Well, through some extra work the researchers found their access to the test account lead to the ability to access every chat interaction by a person who had ever applied for a job at McDonald’s franchises using the Paradox.ai system in the past couple of years: Their names, email addresses, phone numbers, Auth digital tokens to log into the consumer interface as an applicant and their raw chat messages.

That’s not all. As soon as the researchers realized there was a vulnerability they tried contacting Paradox.ai, but the company’s web site didn’t have a contact for disclosing problems. So they had to send emails to any account listed on the web page.

A couple of quick lessons for IT and corporate leaders: First, every organization has to make sure any login account created and used for any reason — including for training and test accounts — can’t have easily guessed credentials. That includes sequential numbers like 123456, days of the week, months of the year, variations of the company’s name, names movie actors or sports heros. Originating companies that sell services to customers have to make sure they can’t create easily-guessed passwords, and organizations have to ensure their employees can’t create easily guessed passwords on accounts they create for business purposes. How? In both cases by having a corporate identity and access management policy that can be enforced — usually with technology — for all employees.

In a blog outlining its side of the story Paradox.ai said its password security standards for customers that allowed such a simple credential have changed since the account was created, but this test account’s password was never updated.

[For more on safe passwords see my previous blog]

The second lesson is that every website should have an email address at the bottom where anyone can report problems — especially security problems. These types of messages shouldn’t be going to sales, marketing or customer support. Paradox.ai said its has created a website link to report security complaints, and launched a bug bounty program for rewarding those who find vulnerabilities.

The third lesson is a little more complex. The way the researchers got to applicants’ information was by accessing an application programming interface (API) that linked from the test site to real applicant data. That’s right — test data lead to real chat data because of an API vulnerability. “Unfortunately,” Paradox.ai says in its blog, “none of our penetration tests previously identified the issue.” The lesson is that while APIs connecting applications and data are an essential part of today’s IT infrastructure, they can blow up in a company’s face if vulnerabilities or poor coding are exploited by a threat actor. All APIs have to be thoroughly tested by a skilled application development team before being put into production.

Need some help with this? Start by consulting the Open Web Application Security Project’s (OWASP) Top 10 API Security Vulnerabilities list. Microsoft has this guide for creating web APIs using Representational State Transfer (REST) architectural principles (otherwise known as RESTful APIs).

“First and foremost,” said Paradox.ai, “we want to emphasize that this incident impacted one Paradox client instance [McDonald’s]. We have been in frequent communication with the affected organization, and our other client instances were not impacted. Second, we are confident that, based on our records, this test account was not accessed by any third party other than the security researchers. It had not been logged into since 2019 and frankly, should have been decommissioned. Lastly, no sensitive personal information, such as Social Security numbers, was exposed. Those data fields remained protected in the system.”

Good for Paradox.ai for acting promptly. Its reputation will probably not be affected. Can you say the same if this happens to your firm?