ryandrake 20 hours ago

> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.

Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.

  • jofer 16 hours ago

    Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.

    The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.

    Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.

    Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.

    • pjc50 9 hours ago

      This is a classic of "a metric becomes a target" which turns into "so the way to get ahead is to lie about the metrics". It's an inefficient way of telling people what personality they need to fake in order to get ahead.

      Corporate Stakhanovism. It's funny how very large employers can end up with a culture which replicates some of the pathologies of Soviet life.

    • idiotsecant 16 hours ago

      Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.

  • bee_rider 20 hours ago

    Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.

    • sgerenser 18 hours ago

      What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).

      • Retric 17 hours ago

        It doesn’t necessarily need to be beneficial for the company.

        Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.

        Probably not the actual answer, but it’s worth considering such indirect motivations.

        • trod1234 9 hours ago

          That's called wrong-think.

          If one were to do that, you would be imposing costs to the point where demand drops to 0, and supply in the near term would follow that to 0.

          From there you have a short march to economic collapse.

          • Retric 5 hours ago

            Management and workers extracting more money from companies isn’t a new thing, that’s the point of unions for example which didn’t collapse the economy.

            Various interests try to get other people to behave in specific ways, but what actually happens isn’t necessarily as clean as often described.

      • Waterluvian 16 hours ago

        Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.

    • misnome 12 hours ago

      I had a manager at a part time job at _Blockbuster_ say surprised in review “You make it sound like you are only working here for the money”.

      I mean, lol, yes?

      • bee_rider 5 hours ago

        My retail managers were mostly pretty chill “this is all bullshit so let’s get through it with minimal hassle” types. The workers were mostly teenagers, and teenagers haven’t learned how to quiet their bullshit detectors yet, so externalizing the bullshit generation seemed to work pretty well.

        I can’t really understand the mindset that gets really on-mission for that sort of thing, like somebody has a life goal of selling clothes or renting videos out.

        • jona-f 3 hours ago

          Well if you love clothes or loved movies before the internet was a thing, why not. Of course not at the soulless corporate shitholes we are talking about here. Oh wait, isn't that the exact way of doing business ycombinator is promoting? What are we doing here? Venture capital was the enemy all along.

  • veggieroll 20 hours ago

    For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.

    • BobaFloutist 32 minutes ago

      Or it shows that you put a very low value on your honesty, and will happily say or do anything other people want to hear as long as it's to your advantage.

    • reactordev 20 hours ago

      While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.

  • cebert 17 hours ago

    This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?

    Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.

    (https://www.traitify.com/)

    • jona-f 2 hours ago

      Well, as bee_rider pointed out somewhere in this thread, the new employees learn what personality they are suppose to fake. So maybe these tests are working better than we think. The lying might even psychologically trick these employees to actually behave that way, out of guilt.

    • yieldcrv 13 hours ago

      A very large part of the population treats “minimum wage” as “maximum wage”.

      Once you understand that, many behaviors make a lot of sense.

  • HPsquared 18 hours ago

    Overtime can be enjoyable if you get paid overtime rates.

  • saghm 16 hours ago

    Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.

  • idiotsecant 16 hours ago

    It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.

  • msgodel 19 hours ago

    Is it simple to guess? I always assumed if you went too hard with those answers they'd assume you were lying and reject you.

    Maybe this is why I never got the mcdonalds call back last time I was layed off.

    • Telemakhos 16 hours ago

      Where's the line between "lying to pass a test" and "fitting in to a community?" Is there not some element of functioning well with other people as a group that requires us to repress certain individual desires and traits for the good of achieving a common goal? Nobody actually likes working fast food, but customers feel better when employees act less surly and more complacent.

    • latentsea 17 hours ago

      I too was rejected from McDonald's.

      • cebert 16 hours ago

        My wife is incredibly intelligent. She has a master’s degree and is working on her doctorate (definitely smarter than me). I still laugh about how, 12 years ago, she got rejected from a summer clerk job at a grocery store because she failed the online personality test. If anything, she was wildly overqualified. That store definitely missed out.

        • giingyui 11 hours ago

          I’m surprised at your comment. I really doubt a person with a high level of intelligence is a good match for a grocery clerk job. That is one of the reasons the personality tests exist.

          • RandomBacon 6 hours ago

            I was a cashier once. I caught a lot of scams that I feel like my coworkers would not have. I was second in the nation one month in this chain at upselling at the register. My cash drawer was balanced within a few cents each shift. I checked out more customers per shift than my coworkers. I worked there for about 8 months until I got a job that I was much more qualified for. I lasted longer than others, but not longer than my team leads.

            Maybe people with higher levels of intelligence don't last as long until they get a better job, but I think they're pretty valuable for the time they are there. I think that most entry-level stores are shortsighted for ignoring those applicants.

        • Incipient 16 hours ago

          Apologies for the nitpick, but being rejected for personality is (essentially) mutually exclusive from (over)qualification.

          • seemaze 16 hours ago

            Pedants unite!

      • _moof 15 hours ago

        Best Buy for me.

  • sandspar 14 hours ago

    From talking to people who invigilate these tests, you'd be surprised by how people answer. For example, someone answers Yes to "It is ok to steal from my employer."

    I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".

    McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.

    It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?

    • briangriffinfan 7 hours ago

      I get more and more exhausted every time I see the, to give a hyperbolic comparison, "The momentum generated by our economy of scale means we really have no choice but to keep the orphan-crushing machine going."

      I may be an old man yelling at the clouds here, but I just wish "Maybe the fact that they're trying to be so big that problems like this become inevitable" were rhetorically explored more.

  • kevin_thibedeau 17 hours ago

    It works as a reading comprehension test. Semi-literates giving random responses will stand out from the compliant ones who know how to play the game.

david2ndaccount 20 hours ago

> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!

Amazing.

  • eth0ws 18 hours ago

    Having a security.txt would be best, but they've updated the page to include a security email address which is a start.

  • jonas21 16 hours ago

    One might even say paradoxical.

Daviey 5 hours ago

Perhaps I'm being overly cynical, but I'm struggling to see how this qualifies as an IDOR in the strict sense. While using UUIDs might reduce guessability, the real issue here is weak authentication, not insecure direct object references.

OWASP defines an IDOR as "an access control vulnerability that occurs when an application uses user-supplied input to access objects directly… without verifying the user is authorized for the target object" (OWASP Top 10 2021 – A01: Broken Access Control). But in this case, access to highly privileged internal functionality was granted simply by logging in with default credentials, no authorization bypass was needed because authentication was effectively absent.

This aligns more closely with CWE-1390: "Use of Default Credentials" and CWE-306: "Missing Authentication for Critical Function." The attacker was able to log in as a privileged user due to trivial credentials, and the lack of multi-factor authentication (MFA) further compounded the issue. Had MFA been implemented, or default credentials disabled, the ID enumeration would have been irrelevant. That makes it clear the real vulnerability lies in the authentication mechanism and not in how object references were structured.

Proofread0592 21 hours ago

I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.

  • shrubble 21 hours ago

    Reminds me that I need to change the combination on my luggage…

  • jeffbee 19 hours ago

    In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.

    Most people are not qualified to handle computer security, is what I learned from that.

    • chasil 17 hours ago

      When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.

      I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.

      Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.

      It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.

bravesoul2 a day ago

It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.

  • oc1 21 hours ago

    I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.

    • ryandrake 20 hours ago

      I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?

      • joules77 17 hours ago

        "We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"

        You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.

        But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.

        What is corporate robot going to do?

        They will hand you the data.

      • viraptor 18 hours ago

        It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.

      • NooneAtAll3 18 hours ago

        > How does this kind of configuration even make it past code review

        that's the secret - there is none

      • lmz 20 hours ago

        It's config not code - and a demo interface is a nice thing to have. The cross account read, however...

      • Marsymars 18 hours ago

        ”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”

  • TZubiri 21 hours ago

    It certainly doesn't reflect well on AI as a BuzzWord.

    Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.

    Additionally, are we certain the vendor didn't use AI to vibecode stuff?

macqm 13 hours ago

Paradox.ai hasn't fixed their vulnerabilities for years.

You used to be able to find full conversations with candidates indexed by Google, with PII, resumes, lots of sensitive data.

Now they add a verification step (sometimes) that still leaks the full e-mail and phone number: "We sent you a verification code to your@email.xyz and SMS to 914-555-1212".

Titan2189 20 hours ago

Hats off to Paradox for remediating this within 30 hours of reporting.

  • RandomBacon 16 hours ago

    Hopefully it shouldn't take longer than 30 hours to change a password.

snypher 20 hours ago

>Without much thought, we entered “123456” as the username and “123456” as the password

I feel like there's more to this that I'd love to know the story behind...

  • gruez 19 hours ago

    Maybe they ran a simple wordlist attack and wanted to launder the methods they used?

  • netsharc 10 hours ago

    Perhaps it was implied that the username is numeric.

ge96 17 hours ago

Funny I remember trying to get a job at McD's before and had to answer those behavioral questions kill 1 or 5

bombcar 17 hours ago

It’s kind of sad and yet expected that McDonald’s responds. Wyeth to security vulnerabilities than many Internet companies do.

combinator_y 9 hours ago

On top of the shit system in place, there is no corporate control internally (5th screenshot "NGA FS" ...)

trod1234 9 hours ago

I'm sure there are a lot of McDonald's positions out there, but doesn't 64 million job applicants seem like a bit much?

There are only 13,647 locations in the US, so that would be 4,689 applications for each store? Makes you wonder how many of those were actually hired because there may only be 30-50 people per store.

What's it say about a company when they deceptively advertise that they are hiring when they really aren't (because all the positions were filled). Bad acting stuff like this needs cost imposed.

  • Macha 8 hours ago

    How many countries do McDonald's use this system in? It's a global company, and as big a market as the US is, McDonalds themselves claim they have "over 38,000 stores" so the US is less than half.

    Then how often does the typical McDonald's have a vacancy? These are not good jobs that would cause low turnover, especially once you get into touristy markets where demand is very seasonal. Let's say 10 openings per store per year.

    Finally when your applicant pool is basically "every college student, unqualified adult, and even some teenagers", 200-300 applications per opening seems entirely plausible. Low even, from the times I've seen the entry level hiring process close up.

    Of course, the thing that confuses people with application numbers like this is they assume that there's no overlap. The same people generally apply to all the jobs in an area so the local McDonalds getting a few thousand applications a year might only be a few hundred unemployed people.

Y_Y a day ago

[flagged]

  • quantified 20 hours ago

    They're on a test menu. Sometimes you see it, sometimes you don't.

  • heavyset_go 21 hours ago

    It was on my desk but it disappeared because it doesn't exist. Besides, it's weird that you're still talking about this Epstein guy when things like Texas happened.

    • lesuorac 21 hours ago

      It's unfortunate the administration can only focus on one thing and can't handle Texas and Epstein at the same time.