Restaurant Brands International Signup API Vulnerability Allowing Unauthenticated Account Creation

A vulnerability exists in the Restaurant Brands International (RBI) assistant platform, affecting several major brands including Burger King, Tim Hortons, and Popeyes, through 2025-09-06. The issue arises from a signup API that allows anyone to create user accounts without verification. This flaw enables remote, unauthenticated attackers to bypass email verification and gain access to accounts, potentially leading to unauthorized actions within the platform.

Impact

Exploitation of this vulnerability allows for unauthorized user account creation, bypassing email verification. This could lead to unauthorized access and actions within the RBI assistant platform, including management of franchise stores, employee accounts, and access to store analytics and sales data. Additionally, it could allow interception of drive-thru voice recordings, which contain personal customer information.