Two ethical hackers recently revealed severe security flaws in the platforms operated by Restaurant Brands International (RBI), the global parent company behind Burger King, Tim Hortons, Popeyes, and Firehouse Subs.

Formed in 2014 through a $12.5 billion merger between Burger King and Tim Hortons, RBI has since expanded into a multinational powerhouse with over 32,000 restaurants in more than 120 countries. Its platforms handle massive volumes of customer data, making security a critical issue.

Vulnerabilities Exposed

In their research—initially published in a blog that has since been removed—the hackers highlighted how weak RBI’s defenses were:

“We discovered vulnerabilities so catastrophic that we could access every single store in their global network. From franchise operations to customer interactions, nothing was off-limits.”

Among the key findings:

• AWS Cognito misconfiguration: RBI left user self-registration enabled, a critical oversight that allowed anyone to create accounts with elevated access.
• Bypassing email verification: A separate signup endpoint sent credentials in plain text, effectively handing attackers the keys without verification.
• Critical platform exposure: The researchers confirmed that domains for Burger King (bk.com), Popeyes (popeyes.com), and Tim Hortons (timhortons.com) were all vulnerable, allowing potential attackers to:
  • Access and listen to customer drive-thru order recordings.
  • Add, remove, or manage franchise stores.
  • View and modify employee accounts.
  • Extract store analytics and sales data.
  • Upload malicious files or push notifications to in-store systems.
  • Exploit a self-installation device ordering system with hardcoded credentials in the HTML.

Customer Data and AI Misuse

One of the most concerning discoveries was the exposure of raw customer audio recordings, including background conversations and personally identifiable information (PII). These recordings were being fed into AI systems to analyze metrics such as:

• Customer sentiment.
• Employee performance and friendliness.
• Upsell success rates.
• Order processing efficiency.

This raised serious concerns about data privacy and the potential misuse of sensitive personal information.

A Swift but Silent Fix

The vulnerabilities were discovered and disclosed within a single day—and RBI reportedly fixed them just as quickly. However, the company has not publicly acknowledged the researchers or commented on the severity of the flaws.

Lessons for Enterprises

This incident highlights several critical cybersecurity lessons for global organizations:

• Cloud service misconfigurations remain one of the most common and dangerous vulnerabilities. Proper configuration management and access controls are essential.
• PII and voice data must be secured with the same rigor as financial or health data, especially when leveraged for AI-driven analytics.
• Transparency and collaboration with the security community are key. Ignoring or failing to credit ethical researchers discourages responsible disclosure.

In today’s threat landscape, businesses must treat cybersecurity not as a technical afterthought but as a core operational priority—especially when customer trust and global brand reputation are on the line.

Source: https://www.malwarebytes.com/blog/news/2025/09/popeyes-tim-hortons-burger-king-platforms-have-catastrophic-vulnerabilities-say-hackers