Restaurant Brands International Assistant Platform Audio Recording Vulnerability

A vulnerability in the Restaurant Brands International (RBI) assistant platform, affecting through September 6, 2025, allows remote attackers to access stored audio recordings of conversations between drive-thru customers and restaurant associates. This issue arises from improperly configured user sign-up options in AWS Cognito, which RBI uses for account management. The vulnerability could be exploited to access sensitive audio data, including personally identifiable information, and manipulate various aspects of the restaurant's operational systems.

Impact

Exploitation of this vulnerability could lead to unauthorized access to voice recordings of customer orders, including background conversations and car radios. Additionally, it could allow attackers to manage franchise stores, view and edit employee accounts, access store analytics and sales data, upload files and send notifications to store systems, and use a self-install device ordering system with a hard-coded password.