Burger King Uses Copyright Law to Nix Security Research

Burger King forced security researcher “BobDaHacker” to remove a blog post detailing critical vulnerabilities in Restaurant Brands International’s “Assistant” system used across Burger King, Tim Hortons, Popeyes, and Firehouse Subs drive-throughs. The researcher discovered that the AWS Cognito-based system allowed unauthorized user creation, granted access to store information without authentication, included hardcoded passwords, and enabled privilege escalation to admin status across the entire platform. The vulnerabilities exposed employees’ personal information and allowed remote eavesdropping on drive-through conversations, with the system’s AI measuring employee “friendliness” scores and tracking upselling performance. Despite following responsible disclosure protocols and RBI fixing the flaws within hours of notification, threat intelligence firm Cyble sent a DMCA takedown notice claiming trademark violation and alleging the research “promoted illegal activity,” leading to the Streisand effect as cybersecurity professionals shared archived copies of the research across social media platforms.​​​​​​​​​​​​​​​​