Burger King Uses DMCA to Remove Blog Exposing Drive-Thru System Security Flaws

Burger King has invoked the Digital Millennium Copyright Act to force the removal of a security researcher’s blog post that disclosed serious vulnerabilities in its new drive-thru “Assistant” system.

Ethical hacker BobDaHacker published a report showing how attackers could bypass authentication, listen in on customer orders, and access employee records before a takedown notice took the content offline.

Security Research and Responsible Disclosure

On Saturday, BobDaHacker published a blog post titled “We Hacked Burger King,” detailing weaknesses in the still-in-beta Assistant platform built on AWS Cognito.

The system allowed anyone to sign up as a new user because user registration had not been disabled and receive a password in plaintext via email.

With that account, BobDaHacker demonstrated the ability to see and modify data across every store using the system, including employee profiles and internal equipment orders.

A hidden GraphQL mutation even allowed the researcher to promote any user ...