Burger King has invoked the U.S. Digital Millennium Copyright Act (DMCA) to force the removal of a security researcher’s blog post that exposed critical vulnerabilities in its drive-thru “Assistant” system.
The move has caused a debate over the use of copyright law to suppress legitimate cybersecurity disclosures.
Key Takeaways
1. Burger King issued a DMCA takedown of AWS Cognito drive-thru flaw research.
2. RBI fixed the bugs but the takedown sparked widespread reposting.
3. Critics warn this restricts open security disclosure.
Burger King Threatens Hacker with Legal Action
BobDaHacker discovered multiple vulnerabilities in the still-in-beta “Assistant” platform, built on AWS Cognito, which is being piloted at select Burger King and Popeyes locations.
A researcher wrote a blog post called “We Hacked Burger King.” In it, they explained a security problem that allowed anyone to sign up for an account without proper checks. This flaw also resulted in sending user credentials in plain text through email.
Exploiting this, BobDaHacker accessed the entire system, leveraging a GraphQL mutation to escalate to administrator privileges across all connected restaurants.
From that vantage, the researcher could add or remove stores, view and edit employee accounts, and even interact with drive-thru audio devices.
Despite following responsible disclosure protocols, reporting the flaws to Restaurant Brands International (RBI) just one hour after discovery, BobDaHacker received a takedown notice from threat intelligence firm Cyble.
The notice alleged trademark infringement and accused the researcher of promoting illegal activity and disseminating false information.
The complaint, marketed as “brand protection,” cited unauthorized use of the “Burger King” trademark and threatened legal action under “gross unfair competition.”
Within hours of the DMCA notice, multiple cybersecurity professionals began sharing archived copies of the original report on Mastodon, invoking the Streisand effect.
Screenshots of Barbra Streisand meme references underscored the backlash against using DMCA to stifle security research.
An RBI spokesperson told Information Security Media Group that the Assistant program is in early testing and retains neither customer identities nor long-term data.
“The intent of this test program is to help team members deliver a better guest experience,” the statement read. RBI stressed features such as order accuracy verification and real-time equipment notifications, but declined to comment on the legal notice or Cyble’s involvement.
BobDaHacker maintains that no sensitive customer data was stored or exfiltrated during testing.
RBI patched the reported flaws the same day BobDaHacker disclosed them. Yet, the swift DMCA action has raised concerns about whether companies might weaponize copyright claims to avoid reputational damage instead of engaging with the security community.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
