Recently, ethical hackers uncovered critical vulnerabilities in platforms hosted by Restaurant Brands International, the parent company that owns such major fast food chains as Burger King, Popeyes Louisiana Kitchen, and Tim Hortons. Two ethical hackers, known as BobDaHacker and BobTheShoplifter, revealed that flaws in RBI’s security allowed them to access internal systems and even spy on conversations taking place over drive-through speakers.
A Whopper of a Problem
The flaws discovered by these ethical hackers were detailed in a now-removed blog post on BobDaHacker’s website. However, the details of the flaws they found are still available through other sources.
The vulnerabilities found by the hackers include:
- An API through Amazon Web Services Cognito that allows anyone to sign up as a user and access privileged information.
- The password for RBI’s equipment ordering website hardcoded into the HTML, with password protection only on the client side.
- Drive-through tablets using default “admin” password.
- Compromised employee accounts and configurations.
- Access to raw recordings of drive-through audio containing customer data.
The Risks
The potential impact of vulnerabilities like this poses risks to employees, customers, and the companies themselves. These flaws could lead to possible exposure of personal employee and customer information, misuse of AI systems, analysis of recorded conversations, and access to internal systems. Failure to disable user signups on AWS Cognito opens up the possibility that anyone, inside or outside the company, can create an account and gain unauthorized access to internal services and resources.
The discovery of these critical vulnerabilities has broader implications for data security in the fast food sector, highlighting what could be widespread security flaws with far-reaching consequences for many organizations, not just RBI and its subsidiaries. The fast food sector is heavily reliant on technology for a wide range of operations, but not inclined to prioritize cybersecurity in spite of increasing cyberthreats against restaurants. “As restaurants increasingly adopt digital solutions and interconnected systems, investing in comprehensive cybersecurity measures is no longer optional,” says Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software.
The Ethical Hacking Angle
Ethical hackers uncover security flaws and vulnerabilities in order to bring them to light so that organizations can take steps to fix them and prevent malicious exploitation. These flaws being discovered by ethical hackers is undoubtedly a good thing—BobDaHacker and BobTheShoplifter responsibly disclosed the information in the interest of security research and intelligence sharing. The actions they were able to carry out on RBI systems demonstrate “that there is a lot to improve both in application security and data governance,” according to Boris Cipot, Senior Security Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions.
If these same vulnerabilities were to be exploited by malicious actors, there could be severe consequences for RBI and its subsidiaries, employees, and customers. Threat actors could take advantage of security flaws to carry out a variety of nefarious actions, from leaking sensitive information about employees and customers to manipulating internal systems using ill-gained access.
The Corporate Response
After the post disclosing the flaws was published, the ethical hackers received a DMCA complaint from a company acting on behalf of the Burger King corporation. The complaint cites copyright infringement and states that the content of the blog post “promotes illegal activity and spreads false information.” It also claims that the post constituted an unauthorized use of the Burger King trademark and may confuse the public into thinking that the blog is connected to the company.
The response from the hackers was to remove the post “rather than engage in a legal dispute.” They maintain the fact that their security research “was conducted ethically and in the public interest,” believing that the trademark dispute is an excuse used as a silencing tactic to shut down discussion of the critical flaws in the company’s systems. RBI has reportedly addressed the problems since they were informed, but the company has not publicly acknowledged the disclosure. This DMCA complaint raises questions regarding transparency, disclosure, and corporate accountability in the face of significant security issues.
The Bigger Picture
This discovery brings up an important conversation about the growing intersection of fast food, technology, and data collection. Corporations of all kinds and across all sectors are heavily reliant on technology that is often unsecured, misconfigured, and vulnerable to malicious and accidental security incidents. The disclosure of these flaws emphasizes the importance of robust security in customer-facing AI and IoT systems. Enterprises reliant on interconnected devices and systems should see this incident as a sign to reassess their own security to prevent such flaws from posing a danger to their systems and data.
