Restaurant Brands International Assistant Platform Cleartext Password Transmission Vulnerability

A vulnerability exists in the Restaurant Brands International (RBI) assistant platform, affecting through September 6, 2025, that allows for the transmission of user account passwords in cleartext via email. This issue arises from an improperly configured user signup process that left accounts open for unauthorized creation, bypassing email verification and exposing sensitive information.

Impact

Exploitation of this vulnerability leads to the unauthorized transmission of user passwords in cleartext, creating a risk of account compromise.

Reproduction

The vulnerability can be reproduced by accessing the open signup endpoint on the RBI assistant platform domains for Burger King, Popeyes, and Tim Hortons. This endpoint allows for the creation of user accounts without email verification, enabling the interception of passwords sent in cleartext emails.

Remediation

RBI has reportedly fixed the vulnerability by addressing the email verification bypass and closing the open user sign-up access.