We Hacked Burger King: How Auth Bypass Led to Drive-Thru Audio Surveillance
4 days ago
- #vulnerabilities
- #privacy
- #cybersecurity
- Restaurant Brands International (RBI) controls over 30,000 locations worldwide, including Burger King, Tim Hortons, and Popeyes.
- Discovered vulnerabilities in RBI's 'assistant' platform, allowing access to every store globally, including drive-thru conversations.
- Found three domains with the same vulnerabilities: assistant.bk.com, assistant.popeyes.com, and assistant.timhortons.com.
- Identified a signup API flaw where user signups were not disabled, allowing unauthorized access with fake credentials.
- GraphQL introspection revealed an endpoint bypassing email verification, with passwords emailed in plain text.
- Authenticated access provided a global store directory, exposing employee personal information and store details.
- Discovered a token generator mutation (createToken) requiring no authentication, granting admin privileges across the platform.
- Found an equipment ordering website with client-side password protection and hardcoded passwords in HTML.
- Accessed drive-thru control interfaces, including main and diagnostic screens, with weak password 'admin'.
- Could manipulate drive-thru audio levels and access raw voice recordings of customer orders, analyzed by AI.
- Bathroom rating screens and APIs were found, allowing unauthenticated spam reviews for any location.
- Admin powers enabled adding/removing stores, managing employee accounts, sending notifications, and accessing sales data.
- Privacy violations included access to voice recordings with PII, potentially violating GDPR.
- RBI responded quickly to fix vulnerabilities but did not comment on the issues.
- No customer data was retained during research, and responsible disclosure protocols were followed.