The password "Admin" opened the doors to the Burger King empire for any hacker. Four letters became the key to 30,000 restaurants.
Such oversights simultaneously impact privacy, reputation, and operational security.
Such oversights simultaneously impact privacy, reputation, and operational security.
Two researchers using the pseudonyms BobDaHacker and BobTheShoplifter stated that they discovered "catastrophic" vulnerabilities in the systems of Restaurant Brands International (RBI). This company owns chains such as Burger King, Tim Hortons, and Popeyes, comprising over 30,000 restaurants worldwide. According to the researchers, hacking the internal services was easier than easy—their blog even compared RBI's security to "a Whopper wrapper left out in the rain." The technical report was soon deleted, but a copy remains in the archives.
The vulnerabilities allowed access to employee accounts, order systems, and even the ability to listen to drive-thru recordings. Furthermore, through administrative interfaces, it was possible to control in-restaurant tablets, send notifications, and place equipment orders. All of this was running on the domains assistant.bk.com, assistant.popeyes.com, and assistant.timhortons.com, which serve all restaurants in the chain.
According to the authors, they gained access to the system because the developers "forgot to disable registration." Further analysis of the API and GraphQL revealed the ability to bypass email verification, and passwords were stored in plain text. Using a separate createToken call, the researchers were able to assign themselves administrator rights across the entire platform.
Mistakes were also found in other RBI services. In the equipment ordering system, the password was hardcoded in the HTML. On the tablets used for customer service in the drive-thru, the password was admin. Additionally, the hackers found unprotected audio recordings of orders, which are used to train systems that analyze restaurant quality performance. These recordings sometimes contained customers' personal data.
The researchers emphasize that they did not save any user information and acted according to the rules of responsible vulnerability disclosure. However, the company, they say, did not thank them for the found errors. They concluded with an ironic remark: "Wendy's is better anyway."
