- Blog seems to be down.
https://web.archive.org/web/20250906150322/https://bobdahack...
by weitendorf
11 subcomments
- Reading between the lines, it looks like the story behind the story here is that this security researcher followed responsible disclosure policies and confirmed that the vulnerabilities were fixed before making this post, but never heard back anything from the company (and thus didn’t get paid, although that’s only a fair expectation if they’ve formally set expectations for paying out on stuff like this ahead of time).
I’m curious about the legal/reputational implications of this.
I personally found some embarrassing security vulnerabilities in a very high profile tech startup and followed responsible disclosure to their security team, but once I got invited to their HackerOne I saw they had only done a handful of payouts ever and they were all like $2k. I was able to do some pretty serious stuff with what I found and figured it was probably more like a $10k-$50k vuln, and I was pretty busy at the time so I just never did all the formal write up stuff they presumably wanted me to do (I had already sent them several highly detailed emails) because it wouldn’t be worth a measly $2k. Does that mean I can make a post like this?
- I'm most surprised that they have this whole system for how drive-thru interactions should go. Positive tone. Saying "you rule" like their exceedingly-irritating television commercials. Like... what if you don't? "If you don't follow the four Sales Best Practices, you're gonna be flippin' burgers for a living. Oh. Well. Oh." They're getting paid $6 an hour. The microphone/speaker system can't reproduce audio to an extent where a customer could ever be sure if you said "you rule" or that your tone is positive. They are thrilled if at least a few items they ordered are in the bag they collect. Why write software to micromanage minimum wage employees?
- It seems the post is down because of a DMCA complaint made to Cloudflare. I’m curious about the different levels of DMCA complaints. I’m sure hosting companies receive them, but what happens if I’m self-hosting and not using Cloudflare? Will my ISP or domain provider get a DMCA? Especially curious for this case.
by techjamie
2 subcomments
- The voice recordings at the drive thru without disclaimers of recording seem like maybe a two party state lawyer's wet dream?
I guess they could argue shouting into a machine in public carries no expectation of privacy, but it seems like a liability to me.
by mrbluecoat
0 subcomment
- > They emailed us the password in plain text. In 2025. We're not even mad, just impressed by the commitment to terrible security practices.
The hilarious sarcasm throughout was the cherry on top for me.
by thenthenthen
3 subcomments
- And.. its down “Blog post not found” archive link here: https://archive.is/zIteR
by some_random
3 subcomments
- Not to nitpick but being emailed a temporary password in cleartext doesn't seem like an issue to me, assuming you're required to change it as soon as you log in.
by johnecheck
0 subcomment
- Wow. That's... impressively bad.
While pretty egregious, this is sadly common. I'm certain there's a dozen other massive companies making similar mistakes.
- The blog post got taken down in response to a bullshit DMCA claim filed by a YC-funded company called Cyble
DMCA screenshot
https://infosec.exchange/@bobdahacker/115158347003096276
Cyble announcement of YC funding in 2025
https://cyble.com/press/cyble-recognized-among-ai-startups-f...
- Wtf! I’m certain this entire stack was reviewed by low level outsourced contractors.
To the person below whining that BK should’ve had more time…absolutely not! Users have a right to know. No effort was made to protect the data. None.
Action needs to be taken. The company contracted to build this stack should be replaced asap! Including the CISO.
by gus_massa
1 subcomments
- > Rating bathroom experiences: because everything needs a digital feedback loop
At least here in Argentina, clean bathrooms was a huge selling point in the 1990' for Burger King and McDonald's.
For example you can go to study to one of them with a few friends, and be there for hours because they have clean bathrooms, and from time to time one of the employees may come to offer coffee refill and ask if you want to buy something to eat with the coffee. [The free coffee refill changes from time to time. I'm not sure it's working now.]
by cobbzilla
2 subcomments
- Honestly wondering if this is a legit use of DMCA. Like, what exact provision of the DMCA is being implicated here?
One should have some reasonable means for challenging this kind of thing. But what do I know.
It’s a scary world when you know a C&D or other legal nastygram is 100% bullshit and want to ignore it, but you’re chained to a vendor that can’t respond with any level of subtlety, just the ban-hammer for everyone
So the C&Ds and nastygrams become increasingly ridiculous, but whatevs, they’re all rubber-stamped so hey corporate just push that red “lawyer” button and make my embarrassment go away real fast, before any Streisand effect can kick in!
- I think the real issue in this case is if they are marrying your voice data (personal preferences) to you. They get your name when you pay with credit card. And they get your license plate. And now with AI are they selling this married information? Not to mention the ability for AI to clone your voice and selling that.
- 99.9% of the CTFs have much more difficult questions!
> The password protection? Client-side only. The password? Hardcoded in HTML.
by b1c837696ba28b
1 subcomments
- 40-some years ago in L.A. some guys discovered that a Burger King drive-up kiosk was tied to the restaurant with an RF link. It was a simple matter to determine the frequency and modulation mode and program a hand-held transceiver to use the same link. They set up in an adjacent parking lot with a video camera and set about pranking the customers that drove up. The resulting video, titled "Attack on a Burger King" (these guys were video engineers,) was copied all around town by the same studio rats that shared session outtakes, Red's Tube Bar, etc. It ends with an employee coming out, jogging toward the kiosk, while the hackers convince the customer to flee the angry man approaching them. Dunno if it ever made it to streaming.
- Great write-up! I was sorry to see there wasn’t a reward for you reporting this to them.
At least you didn’t find that the bathroom rating tablets had audio as well!
by oneturkmen
0 subcomment
- Just googling "rbictg bk gb" yields some weird domains, including dev-bk-gb-moonshot (dot) rbictg (dot) com
- So they did do the work on sentiment analysis and all that, but didn't do any of the security stuff???
So when you're making minimum wage, you can expect every word you say to be analysed and your PII to be unprotected.
I guess security wasn't a feature.
by igtztorrero
0 subcomment
- It's incredible that a chain that produces terrible food has such a large surveillance system for underpaid employees.
Surely the IT workers are also underpaid, which is why they left the doors wide open.
That only confirms the subpar quality of the executives, the food, and everything at Burger King.
by A4ET8a8uTh0_v2
0 subcomment
- << DMCA copyright infringement complaint from Cyble Inc., acting on behalf of Burger King
I am mildly amused, but it only now makes me want to dig through internnet archive ( I believe another poster already helpfully provided ). GL BK. It sounds like Streisand will strike again.
edit: Good read btw. I am curious as to why employees are in that database though.
- This person seems to be fishing for a CFAA indictment?
- Remind me to stick to my hyperlocal fast food restaurant that only has one location and probably doesn't record every conversation you have with them or use any of the other gross surveillance technology that was recorded here.
The story is really about two things. Their poor information security is pathetic, but their actual surveillance tech is genuinely kind of politically concerning. Even if it is technically legal, it's unethical to record conversations without consent.
- You need to stop targeting companies without established bug bounties that allow penetration testing, or you’re going to go to jail.
- The only way this shit show will ever stop is if behavior like this is ultimately rewarded with a corporate death penalty.
E.g. their trademarks being put in the public domain and assets confiscated to compensate their victims.
The watch in amazement at how actual security suddenly becomes a priority.
by sergiotapia
0 subcomment
- Before writing and publishing this did you tell them about the vulnerabilities?
- This is written like an LLM trying to be witty and it's nearly unbearable.
- Assuming:
1. Jane, a security researcher, discovers a vulnerability in a Acme Corporation's public-internet-facing website in a legal manner
2. Jane is a US resident and citizen
3. Acme Corporation is a US company
... is it legal for Jane to post publicly about the vulnerability with a proof of concept exploit?
Relatedly:
Why do security researchers privately inform companies of vulnerabilities and wait for them to patch before public disclosure? Are they afraid of liability?
by thimkerbell
0 subcomment
- Blog post not found
- Since way back has it, repost that shit. Burger King, get bent.
- This [post] is Claude generated, isn't it? Makes it a bit painful to read, to be frank, but nice work. I can't believe people get paid to write this junk (software). It's just...so bad.
by BobDaHacker
2 subcomments
- Burger King
- [flagged]
- i swear god nothing can be cringer and funnier than when wannabe kiddo hackers write writeups. i can assure that they did dirty things for couple months before they actually report that but i can not prove it LMAO. I love this god level smart aleckness and the level of confidence is always ultimate LOL. idk man it is very sweet hahah. 50 grades of gray ahahahahahah
Hacker News