Burger King has invoked the Digital Millennium Copyright Act to force the removal of a security researcher’s blog post that disclosed serious vulnerabilities in its new drive-thru “Assistant” system.
Ethical hacker BobDaHacker published a report showing how attackers could bypass authentication, listen in on customer orders, and access employee records before a takedown notice took the content offline.
Security Research and Responsible Disclosure
On Saturday, BobDaHacker published a blog post titled “We Hacked Burger King,” detailing weaknesses in the still-in-beta Assistant platform built on AWS Cognito.
The system allowed anyone to sign up as a new user because user registration had not been disabled and receive a password in plaintext via email.
With that account, BobDaHacker demonstrated the ability to see and modify data across every store using the system, including employee profiles and internal equipment orders.
A hidden GraphQL mutation even allowed the researcher to promote any user to admin, giving full control over store listings, notifications, and more.
BobDaHacker says the flaws were reported to Restaurant Brands International (RBI) just one hour after discovery.
RBI promptly patched the vulnerabilities the same day. The researcher confirms no customer data was retained, and responsible disclosure protocols were followed throughout.
Despite the swift fix, threat intelligence firm Cyble sent BobDaHacker a DMCA notice alleging unauthorized use of the “Burger King” trademark and accusing the blog of promoting illegal activity.
The notice argued that the blog could confuse the public into thinking it was endorsed by Burger King, and that the content harmed the company’s goodwill. Both RBI and Cyble declined to comment on the takedown request.
BobDaHacker’s report had been live for less than 48 hours before the blog was taken down. An archived copy remains available online, and cybersecurity professionals have reposted the findings on social platforms to highlight the Streisand effect where attempts to suppress information only draw more attention.
According to the archived report, the Assistant platform retained audio recordings of drive-thru conversations and processed them through an AI engine to score employee friendliness, wait times, and upsell success.
Attackers could replay audio clips, potentially eavesdropping on customer orders. The researcher also uncovered a hardcoded password in the client-side HTML of an equipment ordering portal used by franchisees to request starter kits.
A Burger King spokesperson told Information Security Media Group that the test platform does not store customer data long-term and only retains aggregated information for a few weeks.
They emphasized that the program aims to “help team members deliver a better guest experience” by verifying order accuracy and monitoring equipment status.
As major chains increasingly adopt AI-driven voice assistants, this incident underscores the importance of locking down authentication flows and safeguarding sensitive audio data, especially during beta testing.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
