Ethical hackers BobDaHacker and BobTheShoplifter have detailed their claim that they uncovered “catastrophic” vulnerabilities in multiple platforms hosted by Restaurant Brands International (RBI). While RBI may not be a very familiar name, this lax security means that systems powering mega brands like Burger King, Tim Hortons, and Popeyes, with over 30,000 locations worldwide, and all were almost trivially easy to hack. “Their security was about as solid as a paper Whopper wrapper in the rain,” snarks the BobDaHacker blog, sharing the full technical exposé (the blog has since been taken down, but it's archived here).
RBI’s vulnerabilities were of whopping proportions
We mentioned the three big fast food brands in the intro, and the two Bobs found that every one of their assistant platform domains shared the same vulnerabilities. The domains were https://assistant.bk.com, https://assistant.popeyes.com, and https://assistant.timhortons.com, and they could all be easily exploited, across all the group’s 30,000+ locations worldwide. Once in the systems, a hacker could easily:
- View and edit employee accounts
- Listen to drive-through customer chat recordings
- Access and control store tablet interfaces
- Order store equipment like tablets
- Send notifications to stores
- And more
How the vulnerabilities were discovered
The BobDaHacker blog makes the discovery of the multitude of gaping security holes seem almost trivial. Firstly, it is claimed that the ‘Anyone Can Join This Party’ signup API allowed anyone in, as the web dev team had “forgot to disable user signups.”
Subsequently, using GraphQL introspection, an “even easier signup endpoint that completely bypassed email verification” was unearthed. The resulting email of the password – in plain text – meant the two Bobs were “impressed by the commitment to terrible security practices.”
After authentication, the white-hat hackers were able to uncover store employee personal information, internal IDs, configuration details, and more. Furthermore, a GraphQL mutation called createToken allowed the (thankfully) ethical due to “promote ourselves to admin status across the entire platform.”
Password hard coded in the HTML
RBI’s catalog of security errors didn’t end there. A quick detour to RBI's equipment ordering website earned the prize of discovering a self-install device ordering system where the password was hard coded into the HTML.
A similar security gaffe was found in the drive-through tablet interfaces in outlets. They had password protection, but the two Bobs show this was also hard coded as ‘admin’ – who’d’ve guessed that?
Adding another teetering cherry to this deliciously vulnerable cake, the ethical hackers discovered they could access the full raw audio files of people ordering food at the outlet drive-throughs. Sometimes that audio included personally identifiable information. Interestingly, RBI feeds these recordings to AI-based systems to weigh customer and employee metrics.
It didn’t end there, as the hackers found the code for the restaurant chains’ bathroom rating screens. It apparently crossed their minds to “give a 5-star review to a bathroom in Tokyo while sitting in your pajamas in Ohio,” but as staunchly white-hat operatives, that, of course, didn’t happen.
Last but not least, the BobDaHacker blog insists that “no customer data was retained during this research,” with responsible disclosure protocols followed throughout the process. However, we wonder whether these recent experiences influenced their parting shot, which cheekily asserts that “Wendy's is better.”
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
