Burger King: secret surveillance, lies, bank card theft. Continuation
UPD : A Sabubu user revealed that Burger King’s IT director has begun to publicly threaten the author of the investigation.
Introduction
The first investigation into the Burger King app created a resonance in the media, and also turned up in the top of Picaba, TJournal, and Habrahabr.
As it turned out, people are not indifferent to spying on them.
Hackers liked the investigation. Since the publication, dozens of hacker attacks have been carried out on my blog.
Note: All links to official answers and resources of Burger King are archived, in order to prevent editing or replacing their posts by the administration of Burger King after or during the writing of this article.
For archiving links using the proven service archive.is .
All original links are at the end of this article.
Part I. Answers.
Burger King was silent and blatantly ignored the questions of its clients for a whole day after the publication of the investigation, and answered only after a direct appeal from RosKomNadzor .
What answer did we get?
II Official reply Burger King VKontakte.
Well, let's break through the points.
First , “European law on personal data protection” means GDPR . It operates only for the European Union , and Russia has no relation to it de facto.
Russian Burger King does not obey him .
Burger King is obliged to follow the Federal Personal Data Act , but he does not follow it .
Secondly - "we do not make a record."
In my original investigation, it is clearly seen that the Burger King application does not just record the screen , but does it all the time .
Including - during input of details of bank cards.
Thirdly , “we get an impersonal analytics on the operation of the application”.
What kind of impersonality are we talking about if Burger King gets the client's phone number, name, and postal address (Burger King’s application developer himself says this ) when registering and using the app?
Also, Burger King stores detailed data about each user, as confirmed by Burger King’s director of digital projects, Sergey Ocheretin .
Sergey Ocheretin. Director of digital projects Burger King.
Photo from open sources.
Sergey openly stated that he “checked my accounts” (after an unambiguous hint that he knows my location; at the time of writing the article the comment was deleted ) and that Burger King has “logs” ( action recording ) of each user.
Screenshot from the forum w3bsit3-dns.com.
Fourthly : “or is it already impossible to speak about this?”
Burger King has never answered questions about spying before this comment.
They blatantly ignored the questions of their clients and began to answer only after a direct appeal from RosKomNadzor . (about what I wrote above).
Here Burger King pretends that they have allegedly already talked about this, but in fact - there was not a single answer .
The response to the appeal of RosKomNadzor is their first in all the time, and they immediately try to manipulate the opinion saying, “or is it already impossible to talk about it?”.
Screen recording is proven.
Thanks to the above arguments, it can be concluded that Burger King is lying again.
I.II. "Denial"
Soon, after Burger King replied to VKontakte, the company-developer of the application Burger King released a denial.
They say that (further quote):
- Hiding personal data when recording video for analytics is written in the application code. Data is hidden before leaving the mobile device.
- Burger King, e-Legion and Appsee do not have access to user banking data. This data is not recorded, stored or transmitted to third parties.
- Burger King receives only the name, email and phone of the user in accordance with the User Agreement: burgerking.ru/legal_for_app
- Recording video from screens helps to collect statistics in order to improve the performance of the application.
- Appsee strictly adheres to all existing laws on working with personal data of users. This is spelled out in their policies: www.appsee.com/legal/privacypolicy
- Data transfer to the Appsee analytics service occurs only via Wi-Fi and does not consume mobile traffic.
Let's go through each of the items.
Point one is “hiding personal data when recording video for analytics is written in the application code, data is hidden before they leave the mobile device.”
Hiding personal data is not spelled out in the application code.
Hiding personal data when recording video is a parameter that the application requests each time from a remote server , and only after receiving a response (“yes” or “no”) does it set the parameter value to “hide personal data” or “not hide personal data” .
This parameter is controlled remotely and Burger King can change it at any time. Simply put: wants - does not hide, wants - hides.
User comment on Habr.com
Thus, we conclude that the statement “data is being hidden” is another blatant lie on the part of Burger King and their development team.
Point two is “Burger King, e-Legion and Appsee do not have access to the users' banking data. This data is not recorded, stored or transferred to third parties. ”
As we found out in the analysis of the first item - the data is not hidden or encrypted. They are transmitted to the remote server in the clear and stored there.
All data associated with the application, as well as the AppSee metric, have access to this data.
The statement that Burger King, e-Legion (application developer), and AppSee "do not have access to the users' banking data" is another blatant lie .
Point three is “Burger King receives only the name, email and phone of the user in accordance with the User Agreement”.
As we found out in the first two points - Burger King has access to the records of user screens and their billing data , therefore this statement is deceitful and is intended to mislead the client.
However, Burger King does have access to customer names, e-mail, and customer phones, but not “only”, but “together” with screen entries, bank cards, and a full summary of each user's actions.
Also in the User Agreement
The statement that "Burger King receives only the name, email and phone of the user" is a blatant lie .
Point four - "Record video from screens helps to collect statistics in order to improve the performance of the application."
Here we come to the official confirmation of the screen recording without vague wording.
However, in his official statement, Burger King said that they do not record the screen! How so?
Judging by the numerous complaints and reviews on the application - it is very slow and does not work well.
There is no "improvement of the application".
Point five - "Appsee strictly adheres to all existing laws on working with personal data of users."
AppSee is a service of analytics, and Burger King constantly states that the service “should be a GDPR”, however - as we have already explained , for Russia, the observance of GDPR means nothing. But he does not obey the Federal Law "On Personal Data" .
So - again a lie . After all, the main law on personal data - AppSee does not obey.
Point six is “data transfer to the Appsee analytics service is only via Wi-Fi and does not consume mobile traffic.”
Testing has shown that video transmission occurs over Wi-Fi and over the cellular network.
Moreover, their own video of the e-Legion team (the developer of the Burger King application) from their post proves that the download also occurs over the cellular network.
The screenshot from the video above, "Cellular" - cellular data.
From this we conclude - another blatant lie .
Part II. Proof of recording and transmission of banking data.
Introduction
The most important complaint to me was that I showed only a screenshot of the video I had intercepted, but the video itself did not show.
Burger King immediately took advantage of this and individually Sergey , to accuse me of supposedly lying.
All the rest also picked it up, having started groundlessly accusing me of “throwing”, arguing that I did not show the video. Reached direct insults and threats.
Why didn't I show the video first?
It's simple - I'm a man too :)
First of all, I did not save the video with bank cards (I watched it from the traffic inspector program and did not save it), and the screenshot showed from another record that there was no point in downloading.
Secondly - having done the original post-investigation at night, I did not go to sleep. I forgot about the dream and began to respond to everyone in the comments. A little later, the journalists discovered my investigation, a resonance arose, and I sat answering not only the comments, but also the letters and messages of the journalists.
I sat there for a very long time, and would have sat further.
But alas, I do not have the button “turn off sleep and answer everyone,” so I went to sleep.
Waking up from a heap of notifications on my phone, I was half asleep that they wanted a video from me.
And they do not just want, but they want with insults, with threats, with rudeness.
I think that my reaction to such demands at night was obvious - after sending all the hats insulting me, I went to sleep.
And the people who watered me with mud, apparently thought that I was obliged to run at the first click of my fingers to do something. No, really.
At some point I decided to send everything and do nothing at all (insults do not add a desire to do something). But, I decided to prove all the same that I was right.
When I woke up, I remembered that I needed to make a video. Made. :)
Part II.I. Video captured by the application
This video was intercepted by me from a copy of the Burger King for iOS application traffic (version 2.2.0 is the last).
The video was not modified in any way, the traffic and application code did not change .
As you can see, the details of a bank card are not hidden.
Do not hide the input field of the phone, E-Mail, name, and keyboard.
Also, at the beginning of the video, I removed the confirmation of agreement with the terms of use, but the video recording did not stop and it went to the server anyway.
Part II.II. Technical information
By parameters (resolution, FPS, bit rate) - my video completely coincides with the video referenced by the team-developer of the Burger King application in its post , stating that the data entry fields are “painted over”.
Part II.III. Why my video is real.
I want to note a very important proof that my video is really from the application: it does not show the status bar (lines with the cellular signal level, time, battery charge), instead it is an empty space.
Compare yourself:
On the left - my record, on the right - the official screenshot of the application
Such a video can be recorded only by the application itself.
Why?
On the iPhone (namely, on it I launched the application) - it is impossible to hide the status bar when using the OS tools to record the display (and there are no others).
There is no jailbreak on my iPhone (OS hacking) and the latest version of iOS is installed, so I don’t have the option to hide the status bar or use a third-party application to record the screen.
Therefore, the only option to get such a record is for the application to record itself, since on iOS it cannot record system elements other than the keyboard.
Also compare the empty status bars on the records provided by Burger King, and on my video. They match, they are not.
Part III. Conclusion
Part III.I. Results
What do we have in the end?
Each item of the "refutation" of the Burger King is broken by me to the nines.
Here is the evidence of the direct lies of Burger King.
Part III.II. Check RosKomNadzor
I (and many people) would like RosKomNadzor to check Burger King about their unsafe and pofigistic handling of personal data and bank cards of customers.
And so that it is not limited to fasting in a VK with memesics, but as a serious test.
Part III.III. Why my Burger King cards?
Foreshadowing the question:
“Why would a burger king steal payment card data?” They are already rich, and stealing cards will ruin their reputation. ” (Quoting the real question on the forum)
- I will answer:
The fact is that the Burger King application is not made by the director of the network himself. Believe me, he is not sitting on a leather chair at the computer, lighting a Cuban cigar with a pack of bucks and dialing the application code to steal money from the Russians.
The Burger King application is made by the e-Legion company they hired, and everyone on the screen has access to the screen (I don’t believe the e-Legion claims that only Burger King’s employees have access to a lie that I have proved ): and e-Legion and Burger King, and everything in between.
There may be a student working for doshiraki, and wanting easy money.
And maybe the attacker who right now caught your card and already bought a brand new iPhone.
You will never know, because if this happens, then Burger King, as usual, will blatantly tell you and say that everything is “okay, and in general -“ you have fumigated ”.
And there is nowhere to spoil the reputation there.
Part III.IV. Employees who should not be allowed to people.
Brazen lies, threats, rudeness, insults. This is just the beginning.
Although what to expect from a company with such advertising:
And such employees:
The links in the article are archival copies of the links below, made in order to prevent burger king posts from being modified or deleted.
I do not recommend reading Burger King’s responses on the links below, since they could have been changed after the publication of my article.
The post of the developer company of the e-Legion application
Burger King IT director speaks about collecting user information
Information about Sergei Ocheretin - IT Director Burger King
Burger King App User Agreement
')
Source: https://habr.com/ru/post/417161/
All Articles