We hacked Burger King: How auth bypass led to drive-thru audio surveillance
231 comments
·September 6, 2025weitendorf
Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
jeroenhd
They heard back from the company alright, they DMCA'd the post: https://infosec.exchange/@bobdahacker/115158347003096276
The screenshot of the email lacks detail so I don't know what part of the DMCA the author breached here, but this feels a lot like your standard DMCA abuse.
This AI generated takedown was funded in part by a Y-Combinator: https://cyble.com/press/cyble-recognized-among-ai-startups-f...
baobabKoodaa
I did not know Cloudflare treats fake DMCAs the same way as Youtube. Since when!?
A4ET8a8uTh0_v2
Can we start discussing 'you can run your own website/cloudflare/isp/backbone' conversation all over again instead of addressing some basic level of fair play?
beanjuiceII
cloudflare is a crappy company
danielheath
DMCA penalties are so severe that all parties are incentivised to run/use a parallel scheme.
don_quiquong
Just imagining the world without Gary Tan and his ilk...
avs733
Someone should see if YC will fund an ai-first company to help individuals and companies fight back against DMCA abuse and seek compensation
jagged-chisel
Interested to hear the financial model for this one.
null
eduction
This fits with the complete lack of care for ethics and societal awareness from Gary and Paul on down. They just want companies that can succeed by the usual amoral metrics of Silicon Valley (money). Which is entirely their right, but here is one of the social cost in a form most “hacker” founders can maybe appreciate. (As opposed to a low income resident getting evicted to make way for an illegal Airbnb)
akerl_
As a nitpick, you’re describing coordinated disclosure.
Branding it as “responsible” puts the thumb on the scale that somehow not coordinating with the vendor is irresponsible.
billy99k
It is irresponsible. It brings attention to an issue that has not yet been resolved, which will likely lead to users getting data stolen/scammed.
Even the most security-aware companies have a process to fix vulnerabilities, which takes time.
I would never hire someone that doesn't reaponsibly coordinate with the vendor. In most cases it's either malicious or shows a complete lack of good judgement.
In the case of bobdajrhacker? Both.
siffin
It could never be anywhere near as irresponsible as the original bad security practices, though. At some point, if you wanna make money by handling people's sensitive data, you are the responsible party, not everyone else.
Retric
Some companies will keep systems vulnerable indefinitely. If a company hasn’t fixed the issue in a year, public disclosure is likely a better option than doing nothing.
4ndrewl
Why do you think this? It clearly says that RBI fixed the issue on the day they it was found and disclosed.
It seems pretty reasonable to publish, given that?
saagarjha
Are you in a position to hire security engineers?
93po
users at large have a right to know if their data is being handled recklessly by any person or group, and just because some entity has arbitrary rules and poor communication/practices on how they want to tell them disclosures, it doesn't in any way make it irresponsible to let the public know: hey, your shit is getting recorded and is available for anyone to download and listen to.
LadyCailin
I would say that it is responsible disclosure. Or anyways, not doing that is irresponsible disclosure. The corporation may be hurt by early disclosure, and that’s whatever, but very often, there are a ton of ordinary people that are collateral damage, and the only thing they did wrong was exist in a society where handing over hoards of personal data to a huge corporation is unavoidable.
So yes, anyone who discloses before the company has had a reasonable chance to fix things is indeed irresponsible.
bobmcnamara
This seems to presume the company is ready and willing to take feedback.
Maybe things are better now.
Years ago the only contact for many companies was through customer service. "What do you mean you're in our computer? You're obviously on the phone!"
dns_snek
You're assuming that the choice is between immediate public disclosure and coordinated disclosure. Doing "the responsible thing" takes effort that is often disrespected (sometimes to the extreme).
I'm so sick and tired of some companies that any vulnerability I find in their products going forward is an immediate public disclosure. It's either that or no disclosure, and it would be irresponsible not to disclose it at all.
akerl_
What about users who are affected by the vulnerability in the time it takes between reporting to the vendor and remediation?
parineum
What you're describing as branding is actually an opinion. Calling it branding (with it's negative connotations) is putting the thumb on the scale.
akerl_
I’m saying out loud “I think rebranding coordinated disclosure as responsible disclosure has negative impacts and we shouldn’t do it”.
Thats not putting my thumb on the scale so much as shouting my opinion. The rebrand puts its thumb on the scale specifically because it avoids saying “we think non-coordinated disclose is irresponsible”; it sneaks it under the name change.
BrenBarn
It won't change until there is better regulation with muscular enforcement. Right now the choice is between paying an $X bug bounty and the vague possibility of some problem for not paying a bounty (e.g., someone sues you, or a PR fiasco causes you to lose customers). That basically means a choice between a 100% chance of losing $X right now (to pay the bounty) or an unknown but probably low chance of an unknown but probably high cost later on. Without any specific incentives, most people making decisions at companies will just choose to gamble on the future, hoping that they can somehow dodge the consequences.
To change that calculus, the chance of that future cost needs to go up and the amount of it also needs to go up. If the choice is between a $100k bug bounty now and a $10-million-dollar penalty for a security breach, people will bite the bullet and pay the bounty. If the CEO knows he will lose his house if its discovered that he dismissed the report and benefited financially from doing so, he will pay the bounty.
The consequences need to be shifted to the companies that play fast and loose with customer data.
newman8r
> I’m curious about the legal/reputational implications of this.
The comments and headlines will be a bit snarkier, more likely to go viral - more likely to go national on a light news day, along with the human interest portion of not getting paid which everyone can relate to.
Bad PR move
weitendorf
I guess I mean the legal risks to both sides. Security is only a portion of what I do and I only dabble in red teaming (this is the first time I ever tried it on a third party).
So I legitimately don’t know what the legalities of writing a “here’s how I hacked HypeCo” article are if you don’t have the express approval to write that article from HypeCo. Though in my case the company did have an established, public disclosure program that told people they wouldn’t prosecute people who follow responsible disclosure. TFA seems even murkier because Burger King never said they wouldn’t press charges under the CFAA…
juujian
I would argue that it is an ethical thing to do so if it sends a signal to pay whitehats appropriately.
akerl_
Who is getting that signal?
Burger King is almost certainly going to experience no damage from this.
Their takeaway will likely be entirely non-existent. They’ll fix these bugs, they’ll probably implement zero changes to their internal practices, nor will they suddenly decide to spin up a bug bounty.
chimpanzee
The signal is for the hats. Black hats may be more likely to attack. White hats will find better things to do. Some might even swap hats.
juujian
Yeah, the signal is not exclusively to Burger King.
risyachka
This is software.
There is basically zero consequences for whatever fuckups you do, thus no incentives for companies to pay for vulnerabilities.
Thorrez
>Does that mean I can make a post like this?
No. Just because there's a blog post about a fixed vulnerability doesn't imply that it's ok to write a blog post about an unfixed vulnerability.
I'm not saying it's wrong to post a blog post about an unfixed vulnerability. I'm just saying that the existence of a blog post about a fixed vulnerability has no impact on whether it's ok or not to post a blog post about an unfixed vulnerability.
hsbauauvhabzb
You should consult a lawyer. The first thing they’ll probably want to see is the terms you agreed to on hackerone.
jrockway
I'm most surprised that they have this whole system for how drive-thru interactions should go. Positive tone. Saying "you rule" like their exceedingly-irritating television commercials. Like... what if you don't? "If you don't follow the four Sales Best Practices, you're gonna be flippin' burgers for a living. Oh. Well. Oh." They're getting paid $6 an hour. The microphone/speaker system can't reproduce audio to an extent where a customer could ever be sure if you said "you rule" or that your tone is positive. They are thrilled if at least a few items they ordered are in the bag they collect. Why write software to micromanage minimum wage employees?
michaelt
> They're getting paid $6 an hour. [...] Why write software to micromanage minimum wage employees?
Ironically, the less a job pays, the harsher and more demanding the bosses tend to be.
Earning six figures as a software developer, working from home, and you have to take a week off sick? No problem, take as long as you like, hope you feel better soon.
Earning minimum wage at a call centre? Missing a shift without 48 hours advance notice is an automatic disciplinary. No, we don't pay sick leave for people on a disciplinary (which is all of them). Make sure you get a doctor's note, or you're fired.
bagacrap
I think there's a U shaped curve here. Make it all the way to Principal software engineer and you might be expected to work longer hours and bend your personal sense of ethics in service of the company's mission.
parineum
That's a correlation to how easily replaced you are.
MangoToupe
On the other hand, i can't imagine it's easy to find a legal citizen willing to work for that wage. Especially when school's open.
hluska
[flagged]
thfuran
>There’s nothing wrong with flipping burgers for a living.
There is if it relegates you to shitty work environments and doesn’t afford a decent living as is generally the case in the US.
jrockway
I'm not making a value judgement. I'm saying, how are they going to punish you, as a burger flipper, for not saying their TV commercial tagline? Demote you to burger flipper? That's already your job. So why pay people to build a system to track their metrics, when they realistically have no way of making this happen.
Pay people $30/hour and I bet they'll say it every time without software yelling at them. (With the software in place, I have never heard the line "you rule" at Burger King, but I also only go like twice a year. So why write it? It doesn't work.)
stronglikedan
[flagged]
PsylentKnight
> It's a job for teenagers to get experience
It all makes sense now! So that's why all fast food chains are closed from 9-3 on school days
import
It seems the post is down because of a DMCA complaint made to Cloudflare. I’m curious about the different levels of DMCA complaints. I’m sure hosting companies receive them, but what happens if I’m self-hosting and not using Cloudflare? Will my ISP or domain provider get a DMCA? Especially curious for this case.
jimt1234
How do we know this was because of a DMCA complaint?
Edit: Never mind -- > https://infosec.exchange/@bobdahacker/115158347003096276
akerl_
Usually yes, it would go to your ISP. And depending on the ISP they’ll forward it to you or not. This was way more prevalent in the era where movie studios were hiring firms to send bulk DMCAs to people downloading torrents.
djfobbz
Back in 2008–2009, we had a lot of bare metal servers at SoftLayer's (Dallas, TX) facility. One of our customers ran a South American music forum, and anytime someone uploaded an MP3, the data center would honor the DMCA request and immediately stop routing traffic to the server until the issue was resolved. Now imagine what tools they might have in their arsenal in 2025.
techjamie
The voice recordings at the drive thru without disclaimers of recording seem like maybe a two party state lawyer's wet dream?
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
nerdsniper
There’s no liability or exposure for recording non-consensually. It’s a public space. There’s not even an edge case. If a random member if the public could walk into the drive-thru (which they can) then anything can be recorded without notification or consent.
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
exegete
A restaurant drive thru is private property open to the public. I think there may be a legal difference there.
nerdsniper
There's generally not been held to be any difference for the purposes of expectation of privacy. If it's open to the public, the expectation is that anyone could overhear you.
flimflamm
Creating a database of recordings without user being able to know/influence is clearly violation of GDPR IF there is PII. That's going to be costly for BK.
nerdsniper
GDPR only exists in Europe. Are they doing this there too?
mixdup
>There’s no liability or exposure for recording non-consensually. It’s a public space.
That is not how wiretapping laws work in every state.
newhotelowner
Do you need 2 party consent for recording in a public space?
nerdsniper
Edit: Another commenter has made me aware that some states do ban non-consensual audio recordings in public: https://www.dmlp.org/legal-guide/massachusetts-recording-law
The laws prohibiting these recordings have neither been upheld nor overturned by the US Supreme Court.
wordglyph
I think the real issue in this case is if they are marrying your voice data (personal preferences) to you. They get your name when you pay with credit card. And they get your license plate. And now with AI are they selling this married information?
techjamie
That's what I'm getting at with the expectation of privacy part. Talking into a drive thru speaker isn't really a private activity since everyone around can kinda hear it, but it'd probably be better to disclaim it anyway since someone attempting to file on you for it still costs money.
ssl-3
Strolling down the sidewalk at a park with a friend and chatting with them isn't necessarily a private activity either: We're in a very public space. Anyone within earshot can hear whatever we're talking about. If the sounds of our conversation winds up being incidentally in the background of someone filming the squirrels the tree frogs or something, then there's probably nothing to be done about that.
But (in some states), it seems that it would be a very different can of worms if I were to elect to deliberately record the conversation I have with my friend without their consent. Even in a public space, that would appear to run directly afoul of the applicable laws.
thimkerbell
Is there an easy effective way to tell a company not to ask its customers' phone numbers if someone parked nearby can overhear them?
flimflamm
Depends on the country. In Finland, it's ok to record your own discussions. Whether the recorder is BK (a third party) or the cashier is an interesting question, though.
unyttigfjelltol
You don’t get to secretly record voices in public spaces.
newhotelowner
Yes, You can in America. Video recording is permitted without consent in the public places. Example CCTVs.
mrbluecoat
> They emailed us the password in plain text. In 2025. We're not even mad, just impressed by the commitment to terrible security practices.
The hilarious sarcasm throughout was the cherry on top for me.
some_random
Not to nitpick but being emailed a temporary password in cleartext doesn't seem like an issue to me, assuming you're required to change it as soon as you log in.
bigiain
Especially since that email address presumably is used for the forgot password authentication anyway.
But it is at least the equivalent of a code smell. perhaps a "UX smell"?
A couple of obvious ways it can go bad: An attacker could potentially have access your email (perhaps from a data breach elsewhere or a password stuffing attach) and use the temp password before you do. If the temp password is the one entered by the user during signup, a naive user could sign up using their commonly-reused-password which then sits in cleartext foreven in their email archive.
hvb2
The way I read it, the password might not have been different for each new user...
But that's negated completely by the next part about there being a sign up without any email verification
lazide
The fun one for me is when they email you your original password in email. I’ve had that happen twice, and was always an amazing wtf moment.
thenthenthen
And.. its down “Blog post not found” archive link here: https://archive.is/zIteR
wellwells
oasisaimlessly
> We decided to take the post down after recieving a DMCA from burger king.
The DCMA report was actually sent from response@cycle.com, and Cyble [1] appears to be a DCMA-takedown-as-a-service 'solution'.
[1]: https://cyble.com/
patcon
maybe more longterm: https://web.archive.org/web/20250906150322/https://bobdahack...
null
johnecheck
Wow. That's... impressively bad.
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
rsingel
The blog post got taken down in response to a bullshit DMCA claim filed by a YC-funded company called Cyble
DMCA screenshot https://infosec.exchange/@bobdahacker/115158347003096276
Cyble announcement of YC funding in 2025 https://cyble.com/press/cyble-recognized-among-ai-startups-f...
cobbzilla
Honestly wondering if this is a legit use of DMCA. Like, what exact provision of the DMCA is being implicated here?
One should have some reasonable means for challenging this kind of thing. But what do I know.
It’s a scary world when you know a C&D or other legal nastygram is 100% bullshit and want to ignore it, but you’re chained to a vendor that can’t respond with any level of subtlety, just the ban-hammer for everyone
So the C&Ds and nastygrams become increasingly ridiculous, but whatevs, they’re all rubber-stamped so hey corporate just push that red “lawyer” button and make my embarrassment go away real fast, before any Streisand effect can kick in!
kevincox
IANAL but it absolutely isn't.
DMCA is for copyright violations. They aren't providing any copyright protected information in the post. The nearest thing would probably be screenshots of their internal applications which seems to be to be obviously fair use.
charcircuit
The article did show images of the internal website including a one showing a photograph. It infringes their copyright, but it would be up to the author to prove that the usage was fair use.
gus_massa
> Rating bathroom experiences: because everything needs a digital feedback loop
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
alanfalcon
Now my local Burger King (in Las Vegas, NV, USA) has a sign at each table telling you that you have 30 minutes to eat your food and get out before you get thrown out for loitering.
MathMonkeyMan
Well there are some people who seem to live at my local McDonalds.
immibis
[flagged]
Blog seems to be down.
https://web.archive.org/web/20250906150322/https://bobdahack...