> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.
Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.
The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.
Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.
Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.
Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.
What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).
Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.
It doesn’t necessarily need to be beneficial for the company.
Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.
Probably not the actual answer, but it’s worth considering such indirect motivations.
This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?
Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.
For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.
Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.
From talking to people who invigilate these tests, you'd be surprised by how people answer. For example, someone answers Yes to "It is ok to steal from my employer."
I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".
McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.
It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?
It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.
Where's the line between "lying to pass a test" and "fitting in to a community?" Is there not some element of functioning well with other people as a group that requires us to repress certain individual desires and traits for the good of achieving a common goal? Nobody actually likes working fast food, but customers feel better when employees act less surly and more complacent.
My wife is incredibly intelligent. She has a master’s degree and is working on her doctorate (definitely smarter than me). I still laugh about how, 12 years ago, she got rejected from a summer clerk job at a grocery store because she failed the online personality test. If anything, she was wildly overqualified. That store definitely missed out.
I’m surprised at your comment. I really doubt a person with a high level of intelligence is a good match for a grocery clerk job. That is one of the reasons the personality tests exist.
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.
Most people are not qualified to handle computer security, is what I learned from that.
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.
I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.
Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.
It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.
It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"
You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.
But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”
Paradox.ai hasn't fixed their vulnerabilities for years.
You used to be able to find full conversations with candidates indexed by Google, with PII, resumes, lots of sensitive data.
Now they add a verification step (sometimes) that still leaks the full e-mail and phone number:
"We sent you a verification code to your@email.xyz and SMS to 914-555-1212".
It was on my desk but it disappeared because it doesn't exist. Besides, it's weird that you're still talking about this Epstein guy when things like Texas happened.
> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.
Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.
Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.
The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.
Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.
Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.
Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.
Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.
What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).
Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.
It doesn’t necessarily need to be beneficial for the company.
Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.
Probably not the actual answer, but it’s worth considering such indirect motivations.
I had a manager at a part time job at _Blockbuster_ say surprised in review “You make it sound like you are only working here for the money”.
I mean, lol, yes?
This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?
Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.
(https://www.traitify.com/)
A very large part of the population treats “minimum wage” as “maximum wage”.
Once you understand that, many behaviors make a lot of sense.
For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.
While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.
Overtime can be enjoyable if you get paid overtime rates.
Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.
From talking to people who invigilate these tests, you'd be surprised by how people answer. For example, someone answers Yes to "It is ok to steal from my employer."
I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".
McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.
It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?
It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.
Is it simple to guess? I always assumed if you went too hard with those answers they'd assume you were lying and reject you.
Maybe this is why I never got the mcdonalds call back last time I was layed off.
Where's the line between "lying to pass a test" and "fitting in to a community?" Is there not some element of functioning well with other people as a group that requires us to repress certain individual desires and traits for the good of achieving a common goal? Nobody actually likes working fast food, but customers feel better when employees act less surly and more complacent.
I too was rejected from McDonald's.
My wife is incredibly intelligent. She has a master’s degree and is working on her doctorate (definitely smarter than me). I still laugh about how, 12 years ago, she got rejected from a summer clerk job at a grocery store because she failed the online personality test. If anything, she was wildly overqualified. That store definitely missed out.
I’m surprised at your comment. I really doubt a person with a high level of intelligence is a good match for a grocery clerk job. That is one of the reasons the personality tests exist.
Apologies for the nitpick, but being rejected for personality is (essentially) mutually exclusive from (over)qualification.
Pedants unite!
Best Buy for me.
It works as a reading comprehension test. Semi-literates giving random responses will stand out from the compliant ones who know how to play the game.
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!
Amazing.
Having a security.txt would be best, but they've updated the page to include a security email address which is a start.
One might even say paradoxical.
I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.
Reminds me that I need to change the combination on my luggage…
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.
Most people are not qualified to handle computer security, is what I learned from that.
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.
I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.
Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.
It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.
It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"
You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.
But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.
What is corporate robot going to do?
They will hand you the data.
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
> How does this kind of configuration even make it past code review
that's the secret - there is none
It's config not code - and a demo interface is a nice thing to have. The cross account read, however...
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”
It certainly doesn't reflect well on AI as a BuzzWord.
Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.
Additionally, are we certain the vendor didn't use AI to vibecode stuff?
Paradox.ai hasn't fixed their vulnerabilities for years.
You used to be able to find full conversations with candidates indexed by Google, with PII, resumes, lots of sensitive data.
Now they add a verification step (sometimes) that still leaks the full e-mail and phone number: "We sent you a verification code to your@email.xyz and SMS to 914-555-1212".
Funny I remember trying to get a job at McD's before and had to answer those behavioral questions kill 1 or 5
Hats off to Paradox for remediating this within 30 hours of reporting.
Hopefully it shouldn't take longer than 30 hours to change a password.
>Without much thought, we entered “123456” as the username and “123456” as the password
I feel like there's more to this that I'd love to know the story behind...
Perhaps it was implied that the username is numeric.
Maybe they ran a simple wordlist attack and wanted to launder the methods they used?
It’s kind of sad and yet expected that McDonald’s responds. Wyeth to security vulnerabilities than many Internet companies do.
[dead]
[flagged]
They're on a test menu. Sometimes you see it, sometimes you don't.
It was on my desk but it disappeared because it doesn't exist. Besides, it's weird that you're still talking about this Epstein guy when things like Texas happened.
It's unfortunate the administration can only focus on one thing and can't handle Texas and Epstein at the same time.