- Hard coded passwords exposed the fragile security infrastructure of Burger King worldwide
- The pirates have accessed the accounts of the employees and the internal configurations with a shocking ease
- Passwords in clear text sent by e-mail revealed neglected cybersecurity practices
Restaurant Brands International (RBI), the parent company of Burger King, Tim Hortons and Popeyes, was called for flagrant security defects.
Two ethical pirates, known as Bobdahacker and Bobtheshoplifter, recently revealed the ease with which they have accessed critical systems.
Their results, now archived after taking the original blog, paint a disturbing painting of the cybersecurity of fast food.
Passwords that anyone could guess
One of the most surprising discoveries was a hard coded password on the HTML control website of equipment.
This alone would have raised red flags, but the problems went further. In the training tablet system, the password was simply “administrator”.
Low identification information such as it is generally captured by the most basic antivirus controls and system audits.
For a global company that manages more than 30,000 points of sale, such supervisors raise serious questions about the little attention to digital guarantees.
The pirates explained how they accessed employee accounts, internal configurations and even gross audio recordings of conversations while driving.
These records sometimes contained personal information because customers commanded food, which was then processed by AI systems to assess both staff and customers.
This access, although managed in a responsible manner by ethical pirates, highlights what could have happened in bad hands.
The exhibition has also extended to the strange corners of the company. The team discovered the code linked to the restaurant’s room notation screens.
Although they joked by saying to leave false criticism at home, they stuck to responsible disclosure practices.
They pointed out that no data has been kept, but the scope of their results shows how open the systems.
Ethical pirates have described RBI’s safety as “catastrophic” and “solid like wrapper of paper in the rain”.
This language can be ironic, but the faults were real.
They included an API which allowed anyone to register without restrictions and e-mails of raw text containing passwords.
The duo even found ways to give administrative access to platforms.
These are the problems that the basic protection of ransomware and the right policies to eliminate malware aim to reduce.
However, the report shows that the fundamentals of security were neglected at the level of the company, leaving all the brands associated in danger.
RBI would have solved the problems once informed, but the company did not publicly recognize the ethical pirates.
This silence leaves the question of whether the lessons will be really learned or if it has been dealt with as a Patch-And-Move-on event.
Via Toms equipment
