Ethical hackers BobDaHacker and BobTheShoplifter discovered serious security vulnerabilities at Restaurant Brands International (RBI), the chain behind Burger King. The vulnerabilities allowed them to access employee accounts, eavesdrop on drive-through conversations, and control store interfaces at more than 30,000 Burger King, Tim Hortons, and Popeyes locations worldwide.
After successfully breaking in, the hackers were able to view and edit employee accounts, eavesdrop on drive-through conversations, control store tablets, order store equipment, and send notifications to stores. This access applies to all 30,000+ locations of the group worldwide.
According to the BobDaHacker blog, no customer data was stored during the investigation. The hackers followed responsible disclosure protocols. Despite this ethical approach, they were never acknowledged by RBI for their findings.
Simple intrusion with far-reaching consequences
According to the BobDaHacker blog, discovering the security vulnerabilities was almost trivial. Hackers were able to easily penetrate RBI’s assistant platforms for https://assistant.bk.com, https://assistant.popeyes.com, and https://assistant.timhortons.com. The two Bobs discovered a registration API that the development team had forgotten to disable for user registrations. They then discovered an endpoint via GraphQL introspection that completely bypassed email verification.
After authentication, the hackers gained access to personal information of store employees, internal IDs, and configuration details. A GraphQL mutation called createToken allowed them to promote themselves to administrator rights across the entire platform.
Passwords and privacy risks
The security issues did not end there. On RBI’s equipment ordering website, the password was hard-coded in the HTML. A similar error was found in the drive-through tablet interfaces in branches, where the password was simply “admin.”
Even more worrying: the hackers discovered that they had access to the complete raw audio files of people ordering food at drive-throughs. Sometimes these recordings contained personally identifiable information. RBI feeds these recordings into AI systems to measure customer and employee statistics.
The hackers also found code for restaurant toilet review screens. The researchers concluded their findings with a playful remark: “Wendy’s is better.” Wendy’s is a fast-food chain in America that competes closely with Burger King.
Tip: Update: McDonald’s closed worldwide due to configuration change