Restaurant Brands International (RBI) “assistant” platform riddled with terrible security  flaws.

Streisand Effect in Full Effect

What’s the craic? Mark Tyson broke the story: Burger King hacked

“Responsibly informed RBI”
Ethical hackers BobDaHacker and BobTheShoplifter [Daniel Christensen] have detailed their claim [of] vulnerabilities in multiple platforms hosted by [RBI]. This lax security means that systems powering mega brands like Burger King, Tim Hortons, and Popeyes … were almost trivially easy to hack.
…
The vulnerabilities found were a big deal, … allowing the duo to access employee accounts, ordering systems, and listen to recorded drive-thru conversations, among other exploits. … Despite this, the ethical hacking duo that responsibly informed RBI of the flaws were never acknowledged.

And then the next shoe dropped. Dev Kundaliya develops the narrative: Burger King accused of silencing security researcher with copyright claim

“Takedown action”
The post, titled “We Hacked Burger King,” remained online for less than two days before being taken down following a [DMCA] notice, [alleging] unauthorised use of the “Burger King” trademark, [that] the content promoted illegal activity, spread false information, and damaged the company’s reputation.
…
BobDaHacker insisted responsible disclosure protocols had been followed, saying flaws had been reported to RBI within an hour of discovery and stressing that no customer data was collected. RBI reportedly fixed the issues the same day, but still pursued takedown action.

Horse’s mouth? “Bob” and Daniel: We Hacked Burger King

“Your voice is probably in the AWS bucket”
Restaurant Brands International (RBI) [runs] the “assistant” platform – the digital brain behind every drive-thru screen, bathroom tablet review, and the slightly-too-cheerful burger king employee asking if you want to make it a combo. … Their security was about as solid as a paper Whopper wrapper in the rain. … Oh, and did we mention we could listen to your actual drive-thru conversations?
…
We discovered a GraphQL mutation … that was about as secure as leaving your house key under a welcome mat. … With it, we could promote ourselves to admin status. … RBI’s equipment ordering website … password? Hardcoded in da HTML. … Credit where it’s due — RBI’s response time was impressive.
…
With our newfound admin powers, we could:
— Add/remove/manage stores (Want to open a Burger King on the Moon? Now you can!)
— View/edit employee accounts (Everyone gets a promotion!)
— Send notifications to any store ID’s tablet
— Access store analytics and sales data (Numbers, so many numbers)
— Upload files to any store’s systems (Via convenient JWT-signed AWS URLs) …
— Access … thousands, possibly hundreds of thousands of voice recordings containing PII. If you visited … the drive thru, your voice is probably in the AWS bucket, and analyzed by AI.

Awful bugs. But cobbzilla is more concerned with possible DMCA misuse:

Honestly wondering if this is a legit use of DMCA. … It’s a scary world when you know a C&D or other legal nastygram is 100% bull**** and want to ignore it, but you’re chained to a vendor that can’t respond with any level of subtlety—just the ban-hammer. … But whatevs, they’re all rubber-stamped so hey Corporate, just push that red “lawyer” button and make my embarrassment go away real fast.

Well? Is it legit? Ryan Singel is less equivocal:

[They] should also file counter notice. This is an obvious abuse of the DMCA:
First, [it] shows no proof it is a valid filer for BK.com, and
2) [The] post falls firmly in DMCA exceptions for commentary.
There is an avenue to sue over this kind of abuse.

But back to the bugs. An_Old_Dog thinks top down:

These sorts of egregious vulnerabilities scream, “The Board of Directors thinks computer security is a waste of money and time.” And that [this] attitude, and consequent budgeting mal-priority, have been firmly communicated down the corporate chain-of-command.

It’s all about company culture. At least, as 80251 alleges:

The last BK I went to the cashier took my credit card to the back room and didn’t return it until my order was ready. Within 15 minutes of my leaving the restaurant my CC company called me to ask if I had authorized a charge to a motel somewhere in Tennessee (I live in California). Needless to say my CC was deactivated that day.

What else could be lurking? Eclectic Man sets the Wayback machine to Stun:

I recall over 10 years ago … stories of a food chain whose IT lacked security to the extent that staff who had left their employment over 4 months previously still had valid log on credentials and could order free food for themselves and gift tokens for others. … There were even articles about a major data breach of employee details in the ‘mainstream’ news. … Nice to know some things never change.

That’s nothing. Get a load of b1c837696ba28b’s memory:

40-some years ago in L.A., some guys discovered that a Burger King drive-up kiosk was tied to the restaurant with an RF link. … They set up in an adjacent parking lot with a video camera and set about pranking the customers that drove up. The resulting video, titled “Attack on a Burger King” … ends with an employee coming out, jogging toward the kiosk, while the hackers convince the customer to flee the angry man approaching them.

Meanwhile, a flaming IanRS cuts to the chase:

All right, I’ll bite: Their head of security needs to be grilled.

And Finally:

Obviously not the video b1c837696ba28b was thinking of, but let’s dust it off anyway

CW: 1990s abelism attitudes; mildly off-color language; tacos.

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Akshit Tyagi (via Unsplash; leveled and cropped)