We Hacked Burger King: How Authentication Bypass Led to Drive-Thru Audio Surveillance Authors: BobDaHacker & BobTheShoplifter Date: September 6, 2025 --- The Setup Restaurant Brands International (RBI) owns Burger King, Tim Hortons, and Popeyes with 30,000+ locations globally. They operate an "assistant" platform powering drive-thru screens, bathroom feedback tablets, and employee interactions. Security on this platform was extremely weak, allowing access to every single store worldwide. Vulnerable domains included: https://assistant.bk.com https://assistant.popeyes.com https://assistant.timhortons.com --- Major Vulnerabilities "Anyone Can Join This Party" Signup API System used AWS Cognito but did not disable user signups. Email verification was bypassable via a GraphQL signup mutation. Passwords were emailed in plain text in 2025. Global Store Directory Access Authenticated users could query a GraphQL endpoint listing all global stores with internal IDs, employee info, and configurations. User search queries were also exposed, revealing sensitive info quickly. "No Authentication, No Problem" Token Generator A GraphQL mutation createToken generated tokens with no authentication required. Tokens granted admin privileges across all stores. Drive-Thru Equipment Store RBI’s equipment ordering site had client-side password protection only, with the password hardcoded in HTML. Items like "Single Lane Kits" with tablets could be ordered without proper security. Drive-Thru Control Room Store tablets ran a web app accessible via tokens. Main screen listed previous conversations with drive-thru audio recordings. Diagnosis screen was poorly password protected with "admin" hardcoded client-side. APIs allowed control over drive-thru audio levels (volume, tone). Tokens could list any store’s drive-thru configuration. A file upload API issued JWT-signed AWS URLs for uploading files anywhere in the system. Drive-Thru Surveillance State Access to thousands of raw voice recordings of customer orders, including background noise and sensitive data. Recordings fed into AI analyzing: Customer sentiment Employee friendliness Upsell success rates Order processing times Frequency of phrases like "You rule" Bathroom Feedback System Bathroom rating screens were accessible without authentication. Bathroom review API accepted unauthenticated requests globally, allowing spam from anywhere. --- Full Damage Report With admin privileges, attackers could: Add, remove, or manage stores anywhere View and modify employee accounts Send notifications to any store’s tablets Access analytics and sales data Upload files into any store system using signed AWS URLs --- Privacy Violations of Epic Proportions Access to hundreds of thousands of voice recordings containing personally identifiable information (PII). Potential violations of GDPR and other privacy laws. Exposure of embarrassing order details (e.g., 47 chicken nuggets at 2 AM). --- Timeline: The Speed Run | When | What Happened | |---------------------|-------------------------------------------| | Day 1 | Initial exploration of the drive-thru system | | Day 1, 2 hours later | Realized severity: could access sensitive data | | Day 1, 3 hours later | Confirmed ability to listen to live customer orders | | Day 1, same day | RBI patched vulnerabilities rapidly | Note: RBI responded quickly but did not publicly