We Hacked Burger King: How Auth Bypass Led to Drive-Thru Audio Surveillance

Summary

The Setup Picture this: Restaurant Brands International (RBI) – the corporate overlords behind Burger King, Tim Hortons, and Popeyes – control over 30,000 locations worldwide. That's a lot of chicken sandwiches, maple syrup, and flame-broiled beef. What they also control is something called the "assistant" platform – the digital brain behind every drive-thru screen, bathroom tablet review, and the slightly-too-cheerful burger king employee asking if you want to make it a combo. Spoiler alert: Their security was about as solid as a paper Whopper wrapper in the rain. We stumbled upon vulnerabilities so catastrophic that we could access every single store in their global empire. From a Burger King in Times Square to that lonely Tim Hortons where Bugs Bunny shoulda taken a left turn at Albuquerque. Oh, and did we mention we could listen to your actual drive-thru conversations? Yeah, that happened too. The platforms were spread across three domains, each with the same delicious vulnerabilities: https://assistant.bk.com https://assistant.popeyes.com https://assistant.timhortons.com Buckle up, this is going to be a wild ride. 🍔 The Vulnerabilities The "Anyone Can Join This Party" Signup API Our journey began innocently enough. We tried logging in with fake credentials and discovered they were using AWS Cognito. The good news? The system worked exactly as designed. The bad news? They forgot to disable user signups. Oops. After a quick email verification dance with AWS's ConfirmSignup method, we were in. But wait, there's more! Using GraphQL introspection (because who doesn't love a good schema leak), we found an even easier signup endpoint that completely bypassed email verification. It was like finding a secret menu item, except this one came with user privileges. mutation SignUp { signUp(input: { email: "[email protected]", password: "password123" }) } The cherry on top? They emailed us the password in plain text. In 2025. We're not even mad, just impressed by the commitm...