Fast food giant Burger King has landed in hot water after ethical hackers revealed that its online systems were wide open to attack. The flaws were so serious that hackers could peek into employee accounts, listen to drive-thru conversations, and even order store equipment.
Flaws Found Across Burger King, Popeyes, and Tim Hortons
The shocking part is that these holes were found not only in Burger King’s systems but also in those of other brands owned by its parent company. That includes Tim Hortons and Popeyes, which together operate more than 30,000 outlets worldwide.
The hackers described the company’s defenses as being “as solid as a paper Whopper wrapper in the rain.” Their report, which was briefly published online before being taken down, painted a picture of careless mistakes and weak protection across multiple platforms.
The hackers discovered that the main assistant platforms of Burger King, Popeyes, and Tim Hortons all shared the same serious problems. The affected domains were assistant.bk.com, assistant.popeyes.com, and assistant.timhortons.com.
With access to these systems, attackers could enter staff accounts, make changes to employee information, and interfere with the technology used in restaurants.
They explained that once inside, it was possible to listen to drive-thru recordings, which captured conversations between customers and staff. They could also control the tablets used by restaurants, order new devices directly through the company’s own website, and even send messages straight to individual outlets.
The ethical hackers stressed that they did not misuse or keep any data while exploring these issues. They followed responsible disclosure rules and only reported the problems to the company.
How the Security Blunders Were Uncovered
The hackers said the discovery of these gaps was surprisingly easy. One of the first mistakes they found came from a signup system that allowed anyone to create an account without restriction. They described it as the “Anyone Can Join This Party” setup because the developers had forgotten to switch off public signups.
When they explored further, they uncovered another weak point through a system known as GraphQL introspection. This flaw allowed them to bypass email checks entirely. After entering the system, the hackers were able to give themselves administrator rights. That gave them broad control, including access to employee IDs, internal codes, and store configuration details.
CISA warns China-linked hacking group continues long-running campaign against 80 countries
They also checked the company’s equipment ordering website. They found the password was written directly in the page’s HTML. Anyone with basic knowledge could see it. The tablets used at drive-thrus had a similar problem. The system used “admin” as the default password, making them easy to access.
Another surprising find was the code behind the bathroom rating screens used inside restaurants. With the access they had, the hackers joked that they could leave five-star reviews for bathrooms anywhere in the world without leaving home.
Ethical Hackers Left Unacknowledged
Despite revealing flaws of such scale, the ethical hackers said the company never acknowledged their work. They insisted that they reported everything responsibly and did not retain or misuse any of the data they came across.
How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?
Their report, however, made clear just how careless the company had been with its defenses. From plain text passwords to hard coded logins and open signup systems, the mistakes revealed a long list of weak practices.
The hackers gave the company the information to fix the gaps. They were not happy with how their work was treated. In the end, they added a cheeky line in their report. They wrote that Wendy’s is better than Burger King.
