how we owned almost all of america's fast food chains

in a really dumb and simple 2 steps

check out mrbruhs blogpost if you havent already

so recently i was on call with some friends messing with some other stuff when we remembered the existence of a scanner we made for firebase and found and realised they used firebase, we didnt know much about firebase at the time so we simply tried to find a tool to see if it was vulnerable to something obvious and we found firepwn, which seemed nice for a GUI tool, so we simply entered the details of chattr's firebase.

at first, we got permission denied for everything, so we thought it was safe. but then we tried registering a account with firebase manually, and once we signed in, we could see literally everything.

we were in a call at the time, and our reaction to this was insane, as if we look at chattr's website, they manage hiring for a lot of fast food chains.

Carousel displaying "Taco Bell", "KFC", "Double Tree", "Jimmy John's", "Wendy's" and "Village Inn" on

going from bad to worse

at this point, we had quite a lot of access but we wanted to see how bad this could get. so we kept searching, and after looking at the admin dashboard javascript for a while we found these firestore collections:

  • dialog
  • jobCategories
  • questions
  • candidates
  • candidateJobs
  • orgs
  • orgs/{orgID}/candidateJobs
  • orgs/{orgID}/conversations
  • orgs/{orgID}/groups
  • orgs/{orgID}/jobs
  • orgs/{orgID}/locations
  • orgs/{orgID}/notifications
  • orgs/{orgID}/users

these leaked quite a lot but what we were most interested in was getting access to the admin dashboard or getting a admin account, we quickly found out all of the admin accounts are in the organization of 0 which seems to be the chattr organization. if we look at one of these users we'll see this:

    "createdDt": REDACTED,
    "id": "REDACTED",
    "phone": "",
    "shouldRefresh": false,
    "jobTitle": "",
    "forceLogout": false,
    "locations": [],
    "combinedLocations": [],
    "scheduleOptions": [],
    "lastLoginDt": REDACTED,
    "modifiedDt": REDACTED,
    "status": "active",
    "isDeleted": false,
    "email": "",
    "createdBy": {
      "id": "REDACTED",
      "email": ""
    "providerId": "REDACTED",
    "ghostOrg": "0",
    "modifiedBySource": "api-middleware-user-activity",
    "roles": [
    "groups": [],
    "modifiedBy": null,
    "orgId": "0",
    "lastActivity": REDACTED,
    "firstname": "REDACTED",
    "lastname": "REDACTED",
    "timezone": "America/New_York"

so out of pure curiosity i tried to create a document with a random id and replaced the provider id with our fake user id copying this document, and out of nowhere it worked:

Photo of the chattr admin dashboard, text saying "one dream. one team." with the chattr logo

and the impact here is obvious:

Photo of the chattr admin dashboard, list of all admins of the service

... and more:

Photo of the chattr admin dashboard, list of all orgs using the service

... and even more:

Photo of a conversation between the application bot and a candidate

going from worse to catastrophic

we soon realised from this admin dashboard, we could view conversations of candidates, phone numbers, profile pictures and more very powerful stuff from this admin panel, but while looking around on their app i randomly went to their actual user interface where i discovered something very interesting.

there was a "ghost" mode where superadmins could access someone elses account and fully control them, this was where i discovered the fact that we could view billing info with this:

Photo of a stripe reciept from Chattr

we could also hire people and do other stuff with the ghost mode.

lets tldr

so, that was one hell of a ride but the basic TLDR is that

big hiring company got fully pwned by a really stupid vulnerability that couldve been prevented really easily, the following data was exposed:

  • billing information
  • plaintext passwords (only 6 or so accounts had this)
  • phone numbers
  • resumes
  • emails
  • full application conversation
  • candidate notes
  • profile pictures
  • addresses
  • all notifications
  • company phone numbers
  • pay info


we did not save any info other then the screenshots above and maybe a few more, we did make sure to get rid of extremely sensetive personal information.