A “white” hacker has hacked Burger King — and it turned out to be much easier than expected. Someone left the password “admin” right in the site’s code.
The “ethical” hackers BobDaHacker and BobTheShoplifter were looking for vulnerabilities in systems to report them and help fix them. For example, A similar problem destroyed a company with a 158-year history and put 700 people out of work. And so far, such a “critical” one has been found in the systems of Restaurant Brands International (RBI) — the company that manages Burger King, Tim Hortons, and Popeyes. We are talking about more than 30,000 locations around the world.
“Their security was about as solid as a paper Whopper wrapper in the rain,” the BobDaHacker blog ironically says.
The researchers were able to access employee accounts, internal ordering systems, and even listen to recordings of conversations at the cash register. The problems began with the API, which allowed anyone to register because the developers “forgot to disable user registration.” Then, through GraphQL queries, they found a way to bypass email verification, and passwords were stored in clear text. With the help of createToken, the hackers upgraded their status to administrator.
A separate highlight is passwords that are simply written in the code. A quick look at RBI’s equipment ordering website showed that the HTML directly provides access to the device storage system. And on Burger King’s tablets, the password was “admin”. This is what allowed access to the audio recordings of customers at the cash register, which are transmitted to AI systems.
Among other things, the hackers even came across a system for rating bathrooms in restaurants. They joke that they could have “given a 5-star review of a bathroom in Tokyo while sitting in their pajamas in Ohio,” but refrained. The bloggers emphasized that they did not store any customer data and followed the rules of responsible disclosure.
But the RBI did not officially recognize their work. So they concluded the study with a bold phrase: “Wendy’s is better.” However, the situation is still absurd that the programmers left the password for Burger King right in the code. Against this background, another frankly stupid case comes to mind: after one call technical support gave out the password of the household chemicals manufacturer Clorox.
Source: TomsHardware
Spelling error report
The following text will be sent to our editors: