How Chattr.ai Was Hacked: Lessons Learned from a Major AI Hiring Data Breach

Chattr.ai, a prominent AI hiring system serving many fast food chains to hire employees, had sensitive data exposed by a data breach. This analysis aims to provide a clear and factual overview of the events, and how it could have been avoided.

Timeline of Events

  • 06/01/2024: Vulnerability Discovered
  • 09/01/2024: Write-up completed & Emailed to Chattr.ai
  • 10/01/2024: Vulnerability patched
  • 11/01/2024: Support ticket closed without further communication

Data Exposed

The breach affected a wide range of fast food companies, including Applebees, Arbys, Chickfila, Dunkin, IHOP, KFC, Shoneys, Subway, Tacobell, Target, Wendys... The white hat researchers gained access to a vast array of sensitive information of candidates applying to those fast food restaurants:

  • Names
  • Phone numbers
  • Emails
  • Plaintext passwords (for some accounts)
  • Confidential messages
  • Shift schedules
  • Billing information
  • Full application conversations
  • Candidate Resumes, Addresses, and notes
  • Profile pictures
  • Pay info

How and Why the Security Issue Occurred

The security lapse occurred due to insufficient validation and access control mechanisms within Chattr.ai's Firebase configuration. The tool used to find this breach was Firepwn, a GUI-based application designed to exploit Firebase vulnerabilities.

The initial access provided zero permissions, but the situation escalated when the white hat hackers manually registered a new user with Firebase, granting them full read/write privileges to the database. It was a security misconfiguration.

Recommendations

Check your database provider configuration

The vulnerability in question was related to Firebase, specifically its security rules configuration. Firebase security rules determine who has read and write access to the database. Proper configuration of these rules is critical to prevent unauthorized access. However, security misconfigurations can leave the database open to the public, allowing anyone to read or write data. Default settings or a lack of understanding of security best practices could lead to vulnerabilities. Here, Firebase security rules too open can inadvertently give anyone access to sensitive data stored in the database. Attackers can use automated tools to scan for and exploit these misconfigurations, leading to this kind of data breach.

Don't store Plaintext Passwords

One of the critical issues highlighted was the handling of plaintext passwords. Storing passwords in plaintext (i.e., unencrypted) in the database is a significant security risk. If an unauthorized party gains access to the database, they can easily read and misuse these passwords. Best practices in password management involve hashing passwords before storing them, which makes it difficult for attackers to obtain the original passwords even if they access the hashed data.

Data breach detection with honeypots

Using a honeypot can help detect attempts to exploit vulnerabilities early on by monitoring for suspicious activities that mimic the exploitation of real systems. By adding a honeypots into their system, the company can enhance their ability to detect, analyze, and respond to vulnerabilities more faster.

Proper security audits

Developers and companies must ensure that security rules are correctly set up to restrict access only to authorized users and that sensitive data, such as passwords, is adequately protected through encryption or hashing. Regular security audits and adherence to best practices in data protection can help mitigate the risk of similar vulnerabilities.