{“lastseen”:”2025-09-09T20:05:21″,”description”:”Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).\\n\\nRBI is one of the world’s largest quick service restaurant companies. It was formed in 2014 through a $12.5 billion merger of the American fast food chain Burger King and the Canadian coffee and restaurant chain Tim Hortons. Since then, RBI has expanded its brand portfolio to include Popeyes Louisiana Kitchen, acquired in 2017, and Firehouse Subs. It operates a global network of over 32,000 restaurants across more than 120 countries and territories.\\n\\nThe two researchers that scrutinized the security were far from impressed. Their, now removed but archived, blog states:\\n\\n\\u003e \u201cTheir security was about as solid as a paper Whopper wrapper in the rain. \\n\\u003e We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too.\u201d\\n\\nThe researchers say they found that RBI uses AWS Cognito but forgot to turn off user signups. AWS Cognito is a managed service from Amazon Web Services that helps developers handle user signups, sign-ins, and access control without building these features from scratch.\\n\\nDisabling user signups is important to make sure that only authorized personnel get accounts, which may be created and managed centrally by IT administrators. This approach reduces the attack surface by blocking open self-registration and unauthorized account creation, which is critical for protecting sensitive internal resources and services. Administrators can then validate and approve accounts before enabling user access to applications managed via Cognito.\\n\\nAfter managing their way in through that gateway, the researchers said they realised they could have saved themselves the trouble because they found an even easier signup endpoint that completely bypassed email verification, resulting in an email with the password in plain text.\\n\\nThe researchers say they found three assistant platforms (domains bk.com, popeyes.com, and timhortons.com) were all vulnerable and could enable an attacker to:\\n\\n * Access voice recordings of customer orders\\n * Add\/remove\/manage franchise stores\\n * View and edit employee accounts\\n * Access store analytics and sales data\\n * Upload files and send notifications to any store’s systems\\n * Use a self-install device ordering system (with the password hard coded into the HTML)\\n\\n\\n\\nThey also say they found that the voice recordings of customer orders, raw audio files of real people ordering food, complete with background conversations, car radios, and sometimes personally identifiable information (PII), were fed into an AI to analyze things like:\\n\\n * Customer sentiment\\n * Employee friendliness levels\\n * Upsell success rates\\n * Order processing times\\n * How many times employees said \\”You rule\\” (because that’s definitely a crucial business metric)\\n\\n\\n\\nThe only good thing about this story is that despite the researchers finding all these vulnerabilities in one day, RBI fixed them the same day. But apparently without acknowledging the researchers or commenting on the vulnerabilities.\\n\\nIf you were involved in this or any other data breach, please read: Involved in a data breach? Here\u2019s what you need to know.\\n\\nDo not share further personal information. Avoid sharing additional personal details publicly on social media or online directories that could be linked to your exposed information. You can check what information is already out there about you by using our free Digital Footprint Scanner.\\n\\nSCAN NOW\\n\\n* * *\\n\\n**We don ‘t just report on threats – we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your\u2014and your family’s\u2014personal information by using identity protection.”,”published”:”2025-09-09T19:24:19″,”modified”:”2025-09-09T19:24:19″,”type”:”malwarebytes”,”title”:”Popeyes, Tim Hortons, Burger King platforms have \\u0026#8220;catastrophic\\u0026#8221; vulnerabilities, say hackers”,”source”:””,”references”:””,”id”:”MALWAREBYTES:6F306F38A8A9D4C55F3123B8701CE8C0″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/09\/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-09-09T20:05:21″,”description”:”Two ethical hackers say they have uncovered massive security vulnerabilities in the platforms hosted by Restaurant Brands International (RBI).\\n\\nRBI is one of the world’s largest…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-16701","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n