As reported by Tom's Hardware, a pair of hackers successfully compromised the cybersecurity of Restaurant Brands International (RBI), which owns Burger King, Popeyes, and Tim Hortons. They uncovered "catastrophic" vulnerabilities so bad it led the hackers to comment, "We're not even mad, just impressed by the commitment to terrible security practices."
Those "terrible security practices" were alarmingly extensive. The hackers were able to:
- Easily access RBI's Amazon Web Services (AWS) systems.
- Create new user accounts.
- Promote themselves to admin status.
- Access employees' personal information.
- Order store equipment.
- Add and manage stores.
- Access store tablet interfaces.
- Access voice recordings of customers ordering at the drive-thru—which the pair allege are being used to train an AI model.
The pair of hackers explained their project and findings in a blog post that went live on September 6, only to be taken down within 24 hours and replaced with a notice that they received a DMCA complaint from RBI.
Luckily, the original blog post is still visible on the Wayback Machine, where it states: "We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire.
"From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too."
The hackers, "BobDaHacker" and "BobTheShoplifter," have a stated mission of cracking systems to uncover security vulnerabilities and reporting them in an effort to improve security, rather than using this access for their own enrichment.
In terms of fixing the security loopholes the hackers found, the original blog post detailing the RBI hack states that, "RBI's response time was impressive." So, it sounds like at least some of the issues BobDaHacker and BobDaShoplifter found have been resolved, although they also said RBI didn't directly respond to them or comment on the vulnerabilities the hackers reported.
It seems the Bobs accomplished what they set out to do, which was uncover and report major security flaws, though RBI thanked them with a DMCA complaint. While it's concerning that RBI apparently had security this weak, it's a good thing the Bobs discovered it before someone else could.
They even closed out their blog post by claiming that they didn't store any data from their project: "No customer data was retained during this research. No drive-thru orders were harmed in the making of this blog post. Responsible disclosure protocols were followed throughout. We still think the Whopper is pretty good, but Wendy's is better. So Long, and Thanks for All the Fish."
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
