"The vulnerabilities allowed them to access employee accounts, eavesdrop on drive-through conversations, and control store interfaces at more than 30,000 Burger King, Tim Hortons, and Popeyes locations worldwide. After successfully breaking in, the hackers were able to view and edit employee accounts, eavesdrop on drive-through conversations, control store tablets, order store equipment, and send notifications to stores. This access applies to all 30,000+ locations of the group worldwide."
"Hackers were able to easily penetrate RBI's assistant platforms for https://assistant.bk.com, https://assistant.popeyes.com, and https://assistant.timhortons.com. The two Bobs discovered a registration API that the development team had forgotten to disable for user registrations. They then discovered an endpoint via GraphQL introspection that completely bypassed email verification. After authentication, the hackers gained access to personal information of store employees, internal IDs, and configuration details. A GraphQL mutation called createToken allowed them to promote themselves to administrator rights across the entire platform."
"The security issues did not end there. On RBI's equipment ordering website, the password was hard-coded in the HTML. A similar error was found in the drive-through tablet interfaces in branches, where the password was simply "admin." According to the BobDaHacker blog, no customer data was stored during the investigation. The hackers followed responsible disclosure protocols. Despite this ethical approach, they were never acknowledged by RBI for their findings."
Serious security weaknesses at Restaurant Brands International allowed ethical hackers to access employee accounts, eavesdrop on drive-through conversations, control in-store tablets, order equipment, and send notifications across more than 30,000 Burger King, Tim Hortons, and Popeyes locations worldwide. The attackers exploited an exposed registration API that remained enabled and a GraphQL introspection endpoint that bypassed email verification; a createToken GraphQL mutation granted administrator privileges across the platform. Additional flaws included hard-coded passwords in equipment-ordering HTML and default "admin" passwords on drive-through tablets. The testers followed responsible disclosure, confirmed no customer data was stored, and received no acknowledgment from RBI.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]