Skip to main content
Technology

How I Got Unlimited Burger King Points

diego
January 25, 2026
6 min read
How I Got Unlimited Burger King Points

You know that satisfying feeling when you find a coupon code that actually works? Now multiply that by a thousand. That's basically what happened when I stumbled upon one of the dumbest bugs I've ever seen in a loyalty program.

This is the story of how Burger King Spain accidentally let me send unlimited points to my personal account, all because they forgot to check one tiny thing.

Don't worry, it's patched now. This is just a fun story about what was.

It Started With a Survey

Burger King Spain runs this loyalty program where you collect "Coronas" (crowns) and exchange them for free food. Pretty standard stuff. One of the ways to earn points was completing a simple survey - you know, the usual "what are your hobbies?" type of questions. Answer a few things about whether you prefer Netflix or Disney+, Formula 1 or MotoGP, and boom - 1,500 free points deposited into your account.

Cool, right? Free points just for clicking some buttons.

But here's the thing. You could only complete this survey once per account. One account, one survey, 1,500 points. That's it. Fair enough.

Or so I thought.

The URL That Changed Everything

When you got invited to complete the survey, Burger King sent you to a URL that looked something like this:

https://cloud.info.burgerkingencasa.es/cualificacion-app?sk=XXXXX&loyaltyID=YYYYY

Two parameters caught my eye:

  • sk - This was the Salesforce ID, basically an identifier tied to the account that received the survey invitation
  • loyaltyID - This was YOUR loyalty card number, where the points would be deposited

And that's when the gears started turning in my head.

What if... I used someone else's survey link... but with MY loyalty ID?

The Bug: They Never Checked If You Were You

Here's what Burger King SHOULD have done: verify that the sk (the account ID) and the loyaltyID (where points go) actually belonged to the same person.

Here's what Burger King ACTUALLY did: absolutely nothing. They just trusted whatever you sent them.

So the exploit was stupidly simple:

  1. Create a brand new Burger King account with a fake email
  2. Get that account's Salesforce ID (the sk parameter)
  3. Build a survey URL using that new account's sk BUT with my personal loyalty ID
  4. Complete the survey
  5. Watch 1,500 points magically appear in MY account

The new fake account? It got nothing. All the points went straight to me.

And the best part? I could do this over and over again. Every new account I created was a fresh survey that could funnel points into my main account.

Automating the Whopper Machine

Now, doing this manually would be tedious. Create account, verify email, grab the ID, build the URL, complete the survey... that's a lot of clicking for 1,500 points.

So I wrote a little script to do it for me.

The flow was simple:

First, the account factory:

  1. Generate a temporary email address using one of those disposable email services
  2. Hit Burger King's registration API with the fake email and some random data
  3. Wait for the confirmation email to arrive
  4. Click the verification link
  5. Log into the new account and grab its Salesforce ID
  6. Save the survey URL (with MY loyalty ID attached) to a file

Then, the point harvester:

  1. Read all those saved URLs
  2. Visit each one
  3. Fill out the survey with random answers (yes, I like Netflix, yes, I watch Formula 1, whatever)
  4. Submit
  5. Points go brrrrr

Each cycle took maybe 30 seconds. Each cycle was worth 1,500 points. You do the math.

What Made This Possible

Looking back, several things had to go wrong for this to work:

No verification between account and loyalty ID. This was the big one. The system blindly trusted that if you had a valid survey link, you deserved the points - regardless of where those points were going.

Unlimited account creation. There was no CAPTCHA, no phone verification, no rate limiting. You could create as many accounts as you wanted, as fast as you wanted.

Temporary emails worked fine. The system accepted any email that could receive mail. Those 10-minute disposable addresses? Perfectly valid.

Instant point crediting. Points showed up immediately. No waiting period, no human review, no fraud detection saying "hey, this one loyalty ID just received points from 47 different surveys in the last hour."

The survey was always available. New accounts could immediately access the qualification survey. No need to make a purchase first or wait for an invitation.

It was like they built a points piñata and handed everyone a baseball bat.

The Haul

A multi-billion dollar company, and their loyalty program could be drained by anyone with basic programming knowledge and a free afternoon.

Why This Matters (Beyond Free Burgers)

This wasn't a sophisticated hack. There was no SQL injection, no buffer overflow, no zero-day exploit. It was just... a missing check. One if statement that should have existed but didn't.

And that's actually the scary part. Most security vulnerabilities aren't clever. They're obvious in hindsight. Someone just forgot to verify that A matched B.

If you're building any kind of rewards system, here's what you should learn from Burger King's mistake:

Always validate ownership. If an action involves two identifiers (like an account ID and a loyalty ID), verify they belong to the same person. Every. Single. Time.

Rate limit account creation. Normal humans don't create 100 accounts per hour. If someone is, that's a red flag.

Require real verification. SMS confirmation isn't perfect, but it's a lot better than accepting any email that exists.

Add delays to rewards. If points took 24-48 hours to credit, there would be time to detect patterns and stop abuse before it got out of hand.

Monitor for anomalies. One loyalty ID receiving points from dozens of different account surveys? That should trigger an alert somewhere.

The Patch

Eventually, Burger King figured it out. I don't know if someone reported it or if they finally noticed the suspicious activity, but the party came to an end.

Now the system actually checks that your survey invitation matches your loyalty account. Revolutionary concept, I know.

The accounts I created are probably all banned. The points are gone. The Whoppers have been digested.

But the memories? Those are forever.

Final Thoughts

Was this ethical? Debatable. Was it illegal? Probably in some technical sense. Was it delicious? Absolutely.

I share this story not as a guide (again, it's patched), but as a reminder that even big companies make silly mistakes. Security isn't about building impenetrable fortresses - it's about not leaving the back door wide open with a sign that says "FREE CROWNS, HELP YOURSELF."

To Burger King's security team: sorry about all those Whoppers. They were very good though.

And to anyone building a loyalty program: please, for the love of all that is flame-grilled, validate your parameters.

🍔👑

This vulnerability has been patched. This post is for educational and entertainment purposes only. If you try to replicate this, you'll just get banned and hungry.

Need Expert Web Scraping or Cybersecurity Services?

Let's discuss how ByteWall can help protect and scale your business

© 2026 ByteWall. All rights reserved.