Security vulnerabilities reported in Burger King and other Restaurant Brands International's platforms, then gagged by DMCA
Take action: This is beyond shameful. Someone should send the bosses at RBI the dictionary explanation for a "Streisand Effect"
Learn More
Ethical hackers discovered critical security vulnerabilities in Restaurant Brands International's digital infrastructure that allowed unauthorized access to over 30,000 Burger King, Tim Hortons, and Popeyes locations worldwide. The vulnerabilities, described by researchers as "catastrophic" and security "about as solid as a paper Whopper wrapper in the rain," enabled complete administrative control over store systems and access to sensitive customer drive-thru audio recordings.
Two ethical hackers operating under the pseudonyms BobDaHacker and BobTheShoplifter discovered multiple severe security flaws in RBI's "Assistant" platform, which serves as the digital backbone for drive-thru operations, employee management, and store interfaces across the company's global restaurant network. The vulnerabilities affected three primary domains: assistant.bk.com, assistant.popeyes.com, and assistant.timhortons.com, representing over 30,000 locations worldwide operated by the $8.5 billion corporation.
Through GraphQL introspection, the hackers discovered an endpoint that completely bypassed email verification requirements. They identified a GraphQL mutation called "createToken" that allowed privilege escalation to full administrator status across the entire platform.
Once elevated to administrator privileges, the researchers gained access to voice recordings from drive-thru interactions that contained personally identifiable information, with RBI feeding these recordings to AI systems for customer and employee performance analysis.
The security lapses extended beyond the main Assistant platform. On RBI's equipment ordering website, researchers discovered that authentication passwords were hardcoded directly into the client-side HTML, providing access to franchisee ordering systems for drive-thru equipment packages. Even more concerning, the drive-thru tablet interfaces at individual restaurant locations used the simple password "admin".
The researchers emphasized that they followed responsible disclosure protocols throughout their investigation, reporting all vulnerabilities to RBI within one hour of discovery. They confirmed that no customer data was retained during their research and that no drive-thru orders were compromised.
RBI apparently fixed all identified vulnerabilities on the same day they were reported, but the company never acknowledged the researchers' efforts or provided any official statement about the security flaws.
Instead of recognition, the researchers faced legal pressure when RBI's contractor Cyble issued a DMCA takedown notice against their blog post detailing the vulnerabilities. The notice, filed under the Digital Millennium Copyright Act, alleged unauthorized use of the "Burger King" trademark and claimed the content promoted illegal activity, spread false information, and damaged the company's reputation. The original blog post titled "We Hacked Burger King" remained online for less than 48 hours before being removed, but archived copies continue to circulate in the cybersecurity community.
The number of affected customers and any specific financial impact from these vulnerabilities is not disclosed, as RBI has not released official statements regarding the security incident. The company's approach of using legal action to suppress security research rather than publicly addressing the vulnerabilities has drawn criticism from cybersecurity professionals.
