Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).
RBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories.
The two researchers that scrutinized the security were far from impressed. Their, now removed but archived, blog states:
“Their security was about as solid as a paper Whopper wrapper in the rain.
We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too.”
The researchers say they found that RBI uses AWS Cognito but forgot to turn off user signups. AWS Cognito is a managed service from Amazon Web Services that helps developers handle user signups, sign-ins, and access control without building these features from scratch.
Disabling user signups is important to make sure that only authorized personnel get accounts, which may be created and managed centrally by IT administrators. This approach reduces the attack surface by blocking open self-registration and unauthorized account creation, which is critical for protecting sensitive internal resources and services. Administrators can then validate and approve accounts before enabling user access to applications managed via Cognito.
After managing their way in through that gateway, the researchers said they realised they could have saved themselves the trouble because they found an even easier signup endpoint that completely bypassed email verification, resulting in an email with the password in plain text.
The researchers say they found three assistant platforms (domains bk.com, popeyes.com, and timhortons.com) were all vulnerable and could enable an attacker to:
- Access voice recordings of customer orders
- Add/remove/manage franchise stores
- View and edit employee accounts
- Access store analytics and sales data
- Upload files and send notifications to any store’s systems
- Use a self-install device ordering system (with the password hard coded into the HTML)
They also say they found that the voice recordings of customer orders, raw audio files of real people ordering food, complete with background conversations, car radios, and sometimes personally identifiable information (PII), were fed into an AI to analyze things like:
- Customer sentiment
- Employee friendliness levels
- Upsell success rates
- Order processing times
- How many times employees said “You rule” (because that’s definitely a crucial business metric)
The only good thing about this story is that despite the researchers finding all these vulnerabilities in one day, RBI fixed them the same day. But apparently without acknowledging the researchers or commenting on the vulnerabilities.
If you were involved in this or any other data breach, please read: Involved in a data breach? Here’s what you need to know.
Do not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.
We don’t just report on threats – we help safeguard your entire digital identity
Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.
Source link
