Burger King forgets to put a password on their systems, again

The fast food giant put their systems and data at risk by exposing sensitive credentials to the public for a second time.

Burger King is a renowned US-based international fast food giant with a global presence of over 19 thousand restaurants and revenue of $1.8 billion.

Recently, the Cybernews research team uncovered that Burger King in France exposed sensitive credentials to the public due to a misconfiguration on their website.

In the hands of malicious actors, the leaked credentials could have served as a tool to craft a cyberattack against the chain's systems. As the affected website served for job applications, people who sought employment at Burger King in France might have been potentially affected.

It’s not the first time Burger King has leaked sensitive data. In 2019, due to a similar misconfiguration, the France branch reportedly leaked personally identifiable information (PII) of children who bought Burger King menus.

Cybernews reached out to the company, and it fixed the issue.

.env file
Leaked environment file | Image by Cybernews

Publicly accessible credentials

On June 1st, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to Burger King’s French website, containing various credentials. The file was hosted on the subdomain used for posting job offers.

Although the leaked data itself wouldn't be sufficient to gain complete control over the website, it could significantly simplify the process of a potential takeover for attackers, especially if they manage to identify other vulnerable endpoints.

Among other sensitive data, the file contained credentials for a database. While, due to legal reasons, the researchers could not check what exactly was stored in the database, there were likely job posts and perhaps other data entered by the applicants.

The exposure of database credentials is dangerous, as a malicious actor could use them to connect to the database and read or modify data stored within. If a threat actor is able to find and exploit an arbitrary PHP code execution vulnerability within the site, the credentials within .env could allow easier and more stealthy extraction of the MySQL database.

Another piece of sensitive information that the research team observed included a Google Tag Manager ID. Google Tag Manager is a tool used to optimize update measurement codes and related code fragments, collectively known as tags, on a website or mobile app. Google Tag Manager ID specifies which tag manager container should be used by the website.

By holding these credentials and combining them with other vulnerable points on the website, attackers could potentially change the Tag ID to an ID of their own container. Then they’d be able to execute arbitrary JavaScript code on the website.

Corrupting the website’s metrics

Finally, researchers found a Google Analytics ID. This is used to determine which traffic should be recorded and sent to the associated Google Analytics account.

An attacker could exploit this leaked data to set up the ID on a site which they control, and then flood it with automatically generated traffic. This influx would overwhelm the associated Google Analytics account, causing significant disruption and distortion of the website's performance analysis for the duration of the attack.