- Hard-Coded Passwords Exposed Burger King’s fragile security infrastructure all over the world
- Hackers access to employee accounts and internal configurations with shocking ease
- Ordinary text passwords sent via email revealed careless cyber security practice
Restaurant Brands International (RBI), the parent company of Burger King, Tim Hortons and Popeyes, has been called on for staring security errors.
Two ethical hackers, known as Bobdahacker and Bobtheshoplifter, recently revealed how easily they gained access to critical systems.
Their findings, now filed after the original blog, were drawn, painting a troubled image of fast food cyber security.
Passwords that anyone could guess
One of the most surprising discoveries was a password that is hard -coded in HTML on an equipment order website.
This alone would have raised red flags, but the problems went on. In the review table system, the password was simply “admin”.
Weak credentials like these are usually caught by even the most basic antivirus checks and system revisions.
For a global company running over 30,000 businesses, such overviews raise serious questions about how little attention was given to digital protective measures.
The hackers explained how they gained access to employee accounts, internal configurations and even raw audio recordings of reviewed conversations.
These recordings sometimes contained personal information when customers ordered food, which was later processed by AI systems to evaluate both staff and customers.
This access, although responsibly handled by the ethical hackers, highlights what could have happened in the wrong hands.
Exposure is also expanded to odd corners of the company. The team revealed code tied to screens for restaurant bathroom.
Although they joked about leaving false reviews from home, they held on to responsible disclosure practice.
They emphasized that no customer data was preserved, but the extent of their findings shows how open the systems were.
The ethical hackers described RBI’s safety as “catastrophic” and “solid as a paper, like Whopper wrapping in the rain.”
This language may be tongue-in-kind, but the shortcomings were real.
They included an API that allowed someone to sign up without restrictions and ordinary emails containing passwords.
The duo even found ways to give itself administrator access across platforms.
These are the problems that basic protection of ransomware and good removal of malware removal are intended to reduce.
Nevertheless, the report shows that basic basic conditions were overlooked at company level, leaving any associated fire at risk.
RBI allegedly solved the problems once they were informed, but the company did not publicly recognize the ethical hackers.
This silence leaves the question of whether lessons will really be learned or whether this was treated as a patch-and-move-on event.
Via Toms hardware
