sjvn
sjvn boosted
Benjamin Carr, Ph.D. 👨🏻‍💻🧬
@BenjaminHCCarr@hachyderm.io  ·  activity timestamp 21 minutes ago
#McDonald’s #AI Hiring #Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the #Password ‘123456’
Basic #security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm https://Paradox.ai.
https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/
https://archive.ph/1Y8Oq
#ITSec
Benjamin Carr, Ph.D. 👨🏻‍💻🧬
@BenjaminHCCarr@hachyderm.io  ·  activity timestamp 21 minutes ago
#McDonald’s #AI Hiring #Bot Exposed Millions of Applicants’ Data to Hackers Who Tried the #Password ‘123456’
Basic #security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm https://Paradox.ai.
https://www.wired.com/story/mcdonalds-ai-hiring-chat-bot-paradoxai/
https://archive.ph/1Y8Oq
#ITSec
Felix Palmen :freebsd: :c64:
@zirias@mastodon.bsd.cafe  ·  activity timestamp 4 months ago

Of course, this new credentials checker in #swad needs a #tool to edit these #password files, that's currently work in progress.

I just implemented the class for reading a password, pretty simple thing from a pipe, but an "interesting" job from a #terminal. Turns out doing that portably, reliably and secure needs quite some code. 🙈

There's #getpass, but that's deprecated for good reasons (global state and not perfectly clear how it deals with #signals that could interrupt the input). And there's the sane replacement #readpassphrase in some systems (e.g. #FreeBSD), but that's not portable. 🙃

So, plain old #tcsetattr it is, with some signal handling on top:
https://github.com/Zirias/swad/commit/447f48096fc275a5bae113393ffe9a3cbc66cc95