A “Catastrophic” Flaw in Burger King’s Parent Company Exposed

Two security researchers, operating under the pseudonyms BobDaHacker and BobTheShoplifter, have claimed to uncover “catastrophic” vulnerabilities in the systems of Restaurant Brands International (RBI)—the parent company of Burger King, Tim Hortons, and Popeyes, which together operate more than 30,000 restaurants worldwide. According to the researchers, breaching RBI’s internal services was “trivially easy”—their blog even likened the company’s defenses to “a Whopper wrapper soaked through in the rain.” Though the technical report was swiftly removed, an archived copy has since resurfaced.

The flaws allegedly granted access to employee accounts, ordering systems, and even recordings of drive-thru conversations. Through administrative interfaces, it was possible to control restaurant tablets, push notifications, and submit equipment orders. These systems were hosted on the domains assistant.bk.com, assistant.popeyes.com, and assistant.timhortons.com, serving restaurants across all RBI brands.

The researchers explained that entry was possible simply because developers had “forgotten to disable registration.” Further API and GraphQL analysis revealed ways to bypass email verification, while passwords were stored in plain text. By exploiting a separate createToken call, the researchers were able to assign themselves administrator rights across the platform.

Additional flaws were discovered in other RBI services. In the equipment ordering system, a password was hardcoded directly into the HTML. Customer-facing drive-thru tablets relied on the universal password “admin.” The researchers also found unsecured audio recordings of customer orders, which RBI reportedly used to train quality-assurance systems. Some of these recordings even contained personal data.

The researchers stressed that they did not retain any user information and followed responsible disclosure practices. However, they claimed RBI offered no acknowledgment or gratitude for their findings. They concluded their report with a wry remark: “Wendy’s is still better.”

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy