Security Researcher Discloses Misconfiguration in Chattr.ai Hiring Service That May Expose Sensitive Data

Attackers can use Chattr.ai's registration feature to create new user profiles with full read/write privileges by abusing a vulnerability or a misconfiguration in their Firebase backend database.
Help Wanted sign at restaurant

Context

On January 10, 2024, the security researcher known as Mr Bruh published a report outlining a misconfiguration in the popular AI-based hiring vendor Chatter.ai that exposes sensitive user data.

According to the report, attackers can use Chatter.ai’s registration feature to create new user profiles with full read/write privileges by abusing a vulnerability or a misconfiguration in their Firebase backend database.

Exposed data reportedly includes:

  • Names
  • Phone numbers
  • Emails
  • Plaintext passwords (This was a small subset of users)
  • Locations of branches
  • Confidential messages
  • Shifts

Additionally, the researchers claim that “there was a ‘ghost’ mode where super admins could “access someone else’s [sic] account and fully control them, this was where i discovered the fact that we could view billing info with this.”

Community Impact

The report lists multiple prominent customers of Chatter.ai, which include organizations in the restaurant industry. As such, all organizations are advised to determine whether they utilize Chatter.ai services, and if so, to reach out to them regarding mitigation and impact. As of this writing, the security researcher reports that Chatter.ai has not responded to any communications regarding the issue. The RH-ISAC will follow up with additional information as it becomes available.

More Recent Blog Posts

2024 RH-ISAC Cyber Intelligence Summit logo

Register for RH-ISAC Summit

Our biggest event of the year is coming up soon! Join RH-ISAC April 9-11 in Denver for our annual three-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.