The article outlines a significant security vulnerability discovered in Chattr.ai, an AI hiring system used by numerous American fast food chains. The flaw allowed unauthorized access to sensitive data, including personal information of employees and job applicants. Despite responsibly reporting the issue, Chattr.ai’s response was notably lacking in recognition or appreciation.
Main Points
Chattr.ai vulnerability discovered and exploited
A security researcher was able to exploit a vulnerability in Chattr.ai’s Firebase setup to gain full access and control over its database, including sensitive user data.
Sensitive data exposure
Sensitive data of Chattr’s employees, franchisee managers, and job applicants was exposed, including plaintext passwords for some accounts.
Lack of gratitude or engagement from Chattr.ai post-disclosure
Despite responsible disclosure of the vulnerability, Chattr.ai failed to properly acknowledge the discovery, closing the support ticket without thanks.
Insights
The vulnerability in Chattr.ai's system allowed unauthorized users to gain full privileges to their Firebase DB.
But if you use Firebase’s registration feature to create a new user (you cannot register on their site), you get full privileges (read/write) to the Firebase DB.
The exposed data included sensitive information about employees, managers, and job applicants.
The data it exposes includes and is not limited to: Names, Phone numbers, Emails, Plaintext passwords (Only some account’s had exposed passwords), Locations of branches, Confidential messages, Shifts.
The vulnerability was discovered and reported, but Chattr.ai closed the support ticket without expressing gratitude or further contact.
Support ticket closed, no thanks or further contact received despite explicitly requesting it