我同时拿下了美国一半的快餐连锁店

我同时拿下了美国一半的快餐连锁店
I pwned half of America's fast food chains simultaneously

在本文中，一位熟练的技术作家分享了他同时入侵美国一半受欢迎的快餐连锁店的经验。通过分析使用“.ai”顶级域名的网站，他发现了名为“Chattr.ai”的强大人工智能招聘系统中的一个漏洞。该平台在 Applebee's、Arby's、Dunkin'、Chick-fil-A、Wendy's、Shoney's、Subway、Target、KFC 和 IHOP 等多家美国餐厅特许经营店中广受欢迎。该漏洞使他无需身份验证即可获得无限的数据库读/写访问权限。暴露的信息范围从纯文本密码到机密的员工消息和位置。报告问题后，他们花了三周时间才修复它，而解决后沟通仍然很少。随后进行了负责任的披露，并注明了作者的队友。 Overall, this story highlights the importance of strong cybersecurity measures for companies handling sensitive personal information. 字数：100字。

问题是：解决这个问题还需要调查恶意者如何设法识别并规避明显的疏忽，这引发了人们对未来可能尝试的怀疑。如果有必要，调查记者的身份有时可能会导致刑事指控，并且通常被视为保护组织声誉的必要步骤。通过不明确表达任何感激或赞赏，组织可以避免被定罪和潜在的未来诉讼。此外，过早回应也可能表明修复是为了在发布解决问题的声明之前急于挽回面子并解决问题。因此，避免立即承认可以让公司在应对危机时表现出坚忍、分析性和逻辑性，即使它只是遵循既定的协议。

原文

Also checkout Eva’s blogpost of this event.

With an upbeat pling my console alerted me that my script had finished running, to be precise it was searching for exposed Firebase credentials on any of the hundreds of recent AI startups.

This was achieved through a public list of sites using the .ai TLD and parsing the site data (and any referenced .js bundles) for references to common Firebase initialisation variables.

Production: {
    apiKey: "AIza",
    authDomain: "KFC.firebaseapp.com",
    databaseURL: "https://KFC.firebaseio.com",
    projectId: "KFC",
    storageBucket: "KFC.appspot.com",
    messagingSenderId: "123456789"
}

My hunch was that in the rush to push their new shiny product, someone would take a shortcut and forget to implement proper security rules.

The hunch was right, and it was worse than I could’ve ever guessed.

Meet Chattr.ai

…The self proclaimed AI hiring system that claims to shave 88% of the time off hiring new people.

They provide their services to a massive number of fast food chains and other hourly employers around the United States, including but not limited to:

Applebees
Arbys
Chickfila
Dunkin
IHOP
KFC
Shoneys
Subway
Tacobell
Target
Wendys

The Vulnerability

If you drop the Firebase configuration from the JS bundle into Firepwn, you start out with zero permissions as you can see in the following screenshot. Firebase query returning an empty result

But if you use Firebase’s registration feature to create a new user (you cannot register on their site), you get full privileges (read/write) to the Firebase DB. Firebase query returning lots of information about the organizations signed up for chattr

The data it exposes includes and is not limited to:

Names
Phone numbers
Emails
Plaintext passwords (Only some account’s had exposed passwords)
Locations of branches
Confidential messages
Shifts

For the following:

Chattr employees
Franchisee managers
Job applicants

It Gets… Worse?!

Yeah, it somehow manages to get even worse.

If you grab the list of admin users from /orgs/0/users, you can splice a new entry into it giving you full access to their Administrator dashboard.

As you can see below, it allows for even more control over their systems including accepting/denying applicants or even refunding payments made to Chattr. Admin dashboard showing list of organizations Admin dashboard showing their dialog presets & configuration A conversation of a applicant applying for a job Admin dashboard showing options to accept or decline new applicants Admin dashboard showing payments made and the option to refund them

Timeline (DD/MM)

06/01 - Vulnerability Discovered
09/01 - Write-up completed & Emailed to them
10/01 - Vulnerability patched
11/01 - Support ticket closed, no thanks or further contact received despite explicitly requesting it

Credits

To my friends who assisted me with this pentest and responsible disclosure of such