Burger King accused of silencing security researcher with copyright claim

Serves up a fine example of the Streisand Effect

Burger King’s parent company has come under fire for allegedly using copyright law to suppress a researcher who uncovered serious security flaws in its drive-through ordering technology.

The controversy erupted after a self-described ethical hacker known as “BobDaHacker” published a blog post on Saturday detailing vulnerabilities in the “Assistant” system operated by Toronto-based Restaurant Brands International (RBI), which owns Burger King, Tim Hortons, Popeyes and Firehouse Subs.

According to the researcher, the system could be exploited by outsiders to listen in on drive-through conversations, manipulate employee accounts and access sensitive store data.

The post, titled “We Hacked Burger King,” remained online for less than two days before being taken down following a takedown notice.

The notice, issued through cybersecurity firm Cyble on RBI’s behalf, alleged unauthorised use of the “Burger King” trademark and claimed the content promoted illegal activity, spread false information, and damaged the company’s reputation.

Cyble, which markets “brand protection” services, cited the US Digital Millennium Copyright Act (DMCA) as the legal basis for demanding removal.

In a follow-up statement, BobDaHacker insisted responsible disclosure protocols had been followed, saying flaws had been reported to RBI within an hour of discovery and stressing that no customer data was collected.

RBI reportedly fixed the issues the same day, but still pursued takedown action.

The move has sparked backlash within the cybersecurity community. Researchers on Mastodon quickly shared archived versions of the blog post and mocked RBI’s response with images of Barbra Streisand, invoking the so-called “Streisand effect” – where efforts to censor information only draw more public attention to it.

What the research uncovered

In the original report, BobDaHacker explained how RBI’s Assistant system, built on Amazon Web Services’ Cognito platform, was left vulnerable because user sign-ups had not been disabled.

By creating a fake account, the researcher said they received a password in plaintext by email, granting them access to the system without further authentication.

Once inside, they identified a GraphQL mutation that allowed them to escalate privileges to administrator across the platform. This reportedly enabled them to add or remove stores, modify employee accounts, and even push notifications to devices used at drive-throughs and restrooms.

The researcher also discovered that a password for RBI’s equipment ordering site was hardcoded into client-side HTML, allowing access to franchisee ordering systems.

Among the listed items for purchase was a “drive-through starter pack” including an audio box and a tablet to mount at the point-of-sale terminal.

Perhaps most troubling, BobDaHacker said stored audio from drive-throughs could be replayed and analysed.

RBI operates more than 30,000 restaurants worldwide and generates $45 billion in annual sales.

Its aggressive legal response to the disclosure highlights tensions between corporations and independent security researchers, particularly when sensitive vulnerabilities are involved.

Critics argue that RBI’s focus on trademark claims rather than addressing the ethical issues of silencing security research sets a troubling precedent.

Meanwhile, the widespread circulation of the archived blog means the information RBI sought to suppress is now more widely available than before.