Authorization

Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds

It took about six months for popular consumer drone maker DJI to fix a security vulnerability across its website and apps, which if exploited could have given an attacker unfettered access to a drone owner’s account.
The vulnerability, revealed Thursday by researchers at security firm Check Point, would have given an attacker complete access to a DJI users’ cloud stored data, including drone logs, maps, any still or video footage — and live feed footage through FlightHub, the company’s fleet management system — without the user’s knowledge.
Taking advantage of the flaw was surprisingly simple — requiring a victim to click on a specially crafted link. But in practice, Check Point spent considerable time figuring out the precise way to launch a potential attack — and none of them were particularly easy.
For that reason, DJI called the vulnerability “high risk” but “low probability,” given the numerous hoops to jump through first to exploit the flaw.
“Given the popularity of DJI drones, it is important that potentially critical vulnerabilities like this are addressed quickly and effectively,” said Oded Vanunu, Check Point’s head of products vulnerability research.
A victim would have had to click on a malicious link from the DJI Forum, where customers and hobbyists talk about their drones and activities. By stealing the user’s account access token, an attacker could have pivoted to access the user’s main account. Clicking the malicious link would exploit a cross-site scripting (XSS) flaw on the forum, essentially taking the user’s account cookie and using it on DJI’s account login page.
The researchers also found flaws in DJI’s apps and its web-based FlightHub site.
Security flaw in DJI’s website and apps exposed accounts to hackers and drone live feeds
By exploiting the vulnerability, the attacker could take over the victim’s account and gain access to all of their synced recorded flights, drone photos, and more. (Image: Check Point)
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«    Январь 2020    »
ПнВтСрЧтПтСбВс
 12345
6789101112
13141516171819
20212223242526
2728293031