Context
On January 10, 2024, the security researcher known as Mr Bruh published a report outlining a misconfiguration in the popular AI-based hiring vendor Chatter.ai that exposes sensitive user data.
According to the report, attackers can use Chatter.ai’s registration feature to create new user profiles with full read/write privileges by abusing a vulnerability or a misconfiguration in their Firebase backend database.
Exposed data reportedly includes:
- Names
- Phone numbers
- Emails
- Plaintext passwords (This was a small subset of users)
- Locations of branches
- Confidential messages
- Shifts
Additionally, the researchers claim that “there was a ‘ghost’ mode where super admins could “access someone else’s [sic] account and fully control them, this was where i discovered the fact that we could view billing info with this.”
Community Impact
The report lists multiple prominent customers of Chatter.ai, which include organizations in the restaurant industry. As such, all organizations are advised to determine whether they utilize Chatter.ai services, and if so, to reach out to them regarding mitigation and impact. As of this writing, the security researcher reports that Chatter.ai has not responded to any communications regarding the issue. The RH-ISAC will follow up with additional information as it becomes available.
