IT Home reported on January 12 that according to a report by the foreign technology media 404Media, MrBruh, a security network expert, accidentally discovered that there were vulnerabilities in the AI recruitment system used by the fast food chain KFC, which could not only steal the information of job applicants, but also master the AI system to hire or reject applicants for fast food restaurants.
MrBruh said it started with a script that scanned Firebase, a common backend platform used by developers, for .ai TLD companies to expose.
In the returned results, a Firebase configuration related to the fast-food chain KFC was found. MrBruh gains read and write access to the underlying database by creating a new user.
This backend is provided by the company Chattr, which is a recruitment automation platform. Digging deeper, MrBruh found that he had access to an admin dashboard that displayed a list of organizations that used Chattr and granted the ability to accept or reject job applicants, as well as the ability to refund Chattr.
KFC told 404 Media in an email that Chattr only works with one KFC franchisee:
Chattr is not an affiliate vendor of the KFC Company. They only work with one franchisee and we don't know any details of the arrangement.
The original article is attached to the IT House, and interested users can read it in depth.