Introduction
Attackers could have accessed sensitive diagnostic screens and customer data across Burger King, Popeyes, and Tim Hortons by exploiting a fundamental authentication flaw in Restaurant Brands International's assistant platform. This vulnerability, tracked as CVE-2025-62650 and scored 8.3 on the CVSS scale, demonstrates the real-world risks of relying on client-side authentication in cloud-managed restaurant operations platforms.
About Restaurant Brands International (RBI): RBI is a major force in the global quick service restaurant industry, operating over 32,000 locations in more than 120 countries under brands including Burger King, Popeyes, and Tim Hortons. Their technology platforms handle drive-thru ordering, employee management, analytics, and customer data at massive scale.
Technical Information
CVE-2025-62650 is rooted in the use of client-side authentication for diagnostic screens within the RBI assistant platform. The authentication logic was implemented in JavaScript running in the user's browser, with the password ("admin") hardcoded directly in the HTML source. This approach allowed any user with basic technical skills to inspect or modify the client-side code and bypass authentication controls entirely. Once the password was revealed or the check was bypassed, attackers could access sensitive diagnostic interfaces intended only for authorized personnel.
The vulnerability was compounded by a misconfiguration in AWS Cognito, which managed user authentication for the platform. User self-signup was enabled, allowing arbitrary account creation. One endpoint required email verification, but another alternative signup endpoint bypassed this check and sent credentials in plain text, further weakening the authentication process. After creating an account, an attacker could authenticate and access a wide range of sensitive resources, including:
- Store management functions (add, remove, or modify franchise locations)
- Employee account data
- Drive-thru audio recordings containing customer information
- Store analytics and sales data
- File upload and notification systems
The flaw is classified under CWE-603 (Use of Client-Side Authentication), which highlights the risks of performing security-critical checks on the client rather than the server. This vulnerability affected all three major RBI domains (bk.com, popeyes.com, timhortons.com) through at least 2025-09-06.
Affected Systems and Versions
- Restaurant Brands International (RBI) assistant platform through 2025-09-06
- Impacted brands: Burger King (bk.com), Popeyes (popeyes.com), Tim Hortons (timhortons.com)
- Vulnerable configuration: Diagnostic screens relying on client-side authentication, AWS Cognito user pools with public signup enabled
Vendor Security History
RBI has previously faced scrutiny over exposed credentials and concerns about the maturity of their cloud and application security practices. The company responded to this incident by remediating the vulnerability within a single day of responsible disclosure. However, RBI attempted to suppress public discussion of the issue via DMCA takedown notices, drawing criticism from the security community for their approach to vulnerability disclosure and transparency.