Hackers discover vulnerabilities in Burger King, Popeyes, and Tim Hortons employee platforms

Two ethical hackers, known as BobDaHacker and BobTheShoplifter, discovered vulnerabilities in the digital platforms of Restaurant Brands International (RBI), the parent company of Burger King, Tim Horton, and Popeyes. The main problem stemmed from a misconfiguration in AWS Cognito, an Amazon Web Services service used for account and access management. The company had not disabled default user registration, allowing unauthorized accounts to be created by third parties, rather than just system administrators. In addition, researchers found an endpoint in the registry that completely bypassed email verification, resulting in an email being sent with the password in plain text without encryption.

By exposing these configuration errors, the researchers demonstrated that an attacker could access multiple critical functions of Restaurant Brands International systems. These included listening to recordings of customer orders, managing franchises, viewing and editing employee accounts, viewing sales data, sending notifications, and even using an ordering system that contained passwords embedded in the HTML code itself. All of this posed a direct risk to both customer privacy and the company's operational security.

Another significant finding was the treatment of customer voice recordings. The audio recordings, which included real people ordering food, background conversations, car radios, and, in some cases, personally identifiable information, were analyzed using artificial intelligence to evaluate metrics such as customer satisfaction, employee friendliness, upselling success, and order processing times.

The vulnerabilities were fixed by Restaurant Brands International on the same day they were reported, although the company did not publicly acknowledge the researchers or comment on the incident.