Burger King: secret surveillance, lies, bank card theft. Continuation

UPD : User Sabubu told that the IT-director of Burger King began to threaten public investigation author.

Introduction

The first investigation into  the Burger King app created a resonance in the media, and also turned up in the top of Picaba, TJournal, and Habrahabr.

As it turned out, people are not indifferent to spying on them.

Hackers liked the investigation. Since the publication, dozens of hacker attacks have been carried out on my blog.

Note: All links to official answers and resources of Burger King are archived, in order to prevent editing or replacing their posts by the administration of Burger King after or during the writing of this article.

For archiving links using the proven service archive.is .

All original links are at the end of this article.

Part I. Answers.

Burger King was silent and blatantly ignored the questions of its clients for a whole day after the publication of the investigation, and answered only after a direct appeal from RosKomNadzor .

What answer did we get?

II Official reply Burger King VKontakte.

Well, let's sort through the points.

Firstly , “European law on personal data protection” means GDPR . It operates only for the European Union , and Russia has no relation to it de facto.

Russian Burger King does not obey him .

Burger King is required to follow the  Federal Personal Data Act , but he does not follow it .

Secondly - "we do not make a record."

In my original investigation, it is  clearly seen that the Burger King application does not just record the screen , but does it all the time .

Including - during input of details of bank cards.

Thirdly , “we get an impersonal analytics on the operation of the application”.

What kind of impersonality are we talking about if Burger King gets the client's phone number, name, and postal address (the application development company Burger King herself says so ) when registering and using the application?

Also, Burger King stores detailed data about each user, as confirmed by Burger King’s digital projects director  Sergey Ocheretin .

Sergey Ocheretin. Director of digital projects Burger King. 

Photo from open sources.

Sergey openly stated that he “checked my accounts” (after an unambiguous hint that he knows my location; at the time of writing the article the comment was deleted ) and that Burger King has logs ( action recordings ) of each user.

Screenshot from the forum w3bsit3-dns.com.

Fourthly : “or is it already impossible to talk about this?”

Burger King has never answered questions about spying before this comment.

They blatantly ignored the  questions of their clients and began to answer only after a  direct appeal from RosKomNadzor . (about what I wrote above).

Here Burger King pretends that they have allegedly already talked about this, but in fact - there was not a single answer .

The answer to the appeal of RosKomNadzor is their first ever, and they immediately try to manipulate the opinion saying, “or is it already impossible to talk about it?”.

Screen recording is proven.

Thanks to the above arguments, it can be concluded that Burger King is lying again.

I.II. "Denial"

Soon, after Burger King replied to VKontakte, the company-developer of the Burger King application also released a refutation .

They say that (further quote):

• Hiding personal data when recording video for analytics is written in the application code. Data is hidden before leaving the mobile device.
• Burger King, e-Legion and Appsee do not have access to user banking data. This data is not recorded, stored or transferred to third parties.
• Burger King receives only the name, email and phone of the user in accordance with the User Agreement:  burgerking.ru/legal_for_app
• Recording video from screens helps to collect statistics in order to improve the performance of the application.
• Appsee strictly adheres to all existing laws on user data. This is spelled out in their policies:  www.appsee.com/legal/privacypolicy
• Data transfer to the Appsee analytics service occurs only via Wi-Fi and does not consume mobile traffic.

Let's go through each of the items.

Point one is “hiding personal data when recording video for analytics is written in the application code, data is hidden before they leave the mobile device.”

Hiding personal data is not spelled out in the application code.

Hiding personal data when recording video is a parameter that the application requests each time from the remote server , and only after receiving a response (“yes” or “no”) does it set the parameter value to “hide personal data” or “not hide personal data” .

This parameter is controlled remotely and Burger King can change it at any time. Simply put: wants - does not hide, wants - hides.

User comment on Habr.com

Thus, we conclude that the statement “data is being hidden” is another blatant lie on the part of Burger King and their development team.

Point two is “Burger King, e-Legion and Appsee do not have access to the users' banking data. This data is not recorded, stored or transferred to third parties. ”

As we found out in the analysis of the first item - the data is not hidden or encrypted. They are transmitted to the remote server in the clear and stored there.

Access to this data is available to everyone who is associated with the application, as well as with the AppSee metric.

The statement that Burger King, e-Legion (application developer), and AppSee "do not have access to the users' banking data" is  another blatant lie .

Point three is “Burger King receives only the name, email and phone of the user in accordance with the User Agreement”.

As we found out in the first two points - Burger King has access to the records of user screens and their billing data , therefore this statement is deceitful and is intended to mislead the client.

However, Burger King does have access to customer names, e-mail, and customer phones, but not “only”, but “together” with screen entries, bank cards, and a full summary of each user's actions.

Also in the User Agreement

The statement that "Burger King receives only the name, email and phone of the user" is a blatant lie .

Point four - "Record video from the screens helps to collect statistics in order to improve the performance of the application."

Here we come to the official confirmation of the screen recording without vague wording.

However, in his official statement, Burger King said that they did not record the screen! How so?

Judging by the numerous complaints and reviews on the application - it is very slow and does not work well.

There is no "improvement of the application".

Point five - "Appsee strictly adheres to all existing laws on working with personal data of users."

AppSee is a service of analytics, and Burger King constantly states that the service “should be a GDPR”, however - as we have already explained , for Russia, compliance with the GDPR means nothing. But   he does not obey the Federal Law "On Personal Data" .

So - again a lie . After all, the main law on personal data - AppSee does not obey.

Point six - “data transfer to the Appsee analytics service occurs only via Wi-Fi and does not consume mobile traffic.”

Testing has shown that video transmission occurs over Wi-Fi and over the cellular network.

Moreover, their own video of the e-Legion team (the developer of the Burger King application) from their post proves that the download also takes place over the cellular network.

The screenshot from the video above, Cellular, is cellular data.

From this we conclude - another blatant lie .

Part II. Proof of recording and transmission of banking data.

Introduction

The most important complaint to me was that I showed only a screenshot of the video I had intercepted, but the video itself did not show.

Burger King immediately took advantage of this and separately Sergey , to accuse me of supposedly lying.

All the rest also picked it up, having started groundlessly accusing me of “throwing”, arguing that I did not show the video. Reached direct insults and threats.

Why didn't I show the video first? 

Part II.I. Video made by the application

This video was intercepted by me from a copy of the Burger King for iOS application traffic (version 2.2.0 is the last).

The video was not modified in any way , the traffic and application code did not change .

As you can see, the details of a bank card are not hidden.

Do not hide the input field of the phone, E-Mail, name, and keyboard.

Also, at the beginning of the video, I removed the confirmation of agreement with the terms of use, but the video recording did not stop and it went to the server anyway.

Part II.II. Technical information

By parameters (resolution, FPS, bitrate) - my video completely coincides with the video referenced by the team-developer of the Burger King application in its post , stating that the data entry fields are “painted over”.

Part II.III. Why my video is real.

I want to note a very important proof that my video is really from the application: it does not show the status bar (lines with the cellular signal level, time, battery charge), instead it is an empty space.

Compare yourself:

On the left - my record, on the right - the official screenshot of the application

Such a video can be recorded only by the application itself.

Why?

On the iPhone (namely, on it I launched the application) - it is impossible to hide the status bar when using the OS tools to record the display (and the others do not exist).

There is no jailbreak on my iPhone (OS hacking) and the latest version of iOS is installed, so I don’t have the option to hide the status bar or use a third-party application to record the screen.

Therefore, the only option to get such a record is for the application to record itself, since on iOS it cannot record system elements other than the keyboard.

Also compare the empty status bars on the records provided by Burger King, and on my video. They match, they are not.

Part III. Conclusion

Part III.I. Results

What do we have in the end?

Each item of the "refutation" of the Burger King is broken by me to the nines.

Here is the evidence of the direct lies of Burger King.

Part III.II. Check RosKomNadzor

I (and many people) would like RosKomNadzor to check Burger King about their unsafe and pofigistic handling of personal data and bank cards of clients.

And so that it is not limited to fasting in a VK with memesics, but a serious test.

Part III.III. Why my Burger King cards?

Foreshadowing the question:

“Why would a burger king steal payment card data?” They are already rich, and stealing cards will ruin their reputation. ” (Quote from the real question on the forum)

- I will answer:

The fact is that the Burger King application is not made by the director of the network himself. Believe me, he is not sitting on a leather chair at the computer, lighting a Cuban cigar with a pack of bucks and dialing the application code to steal money from the Russians.

The Burger King application is made by the e-Legion company they hired , and everyone on the screen has access to the screen (I don’t believe the e-Legion claims that only Burger King’s employees have access to a lie that I have proven ): and e-Legion and Burger King and everything in between.

There may be a student working for doshiraki, and wanting easy money.

And maybe the attacker who right now caught your card and has already bought a brand new iPhone.

You will never know, because if this happens, then Burger King, as usual, will blatantly tell you and say that everything is “okay, and in general -“ you have fumigated ”.

And there is nowhere to spoil the reputation there.

Part III.IV. Employees who should not be allowed to people.

Brazen lies, threats, rudeness, insults. This is just the beginning.

Although what to expect from a company with such an advertisement:

And such employees:

Caution, mate (smeared - prim.mod.)!