Cybersecurity researchers at Check Point today revealed details of a potential dangerous vulnerability in DJI Drone web app that could have allowed attackers access user accounts and synced sensitive information within it, including flight records, location, live video camera feed, and photos taken during a flight.
Thought the vulnerability was discovered and responsibly reported by the security firm Check Point to the DJI security team in March this year, the popular China-based drone manufacturing company fixed the issue after almost six months in September.
The account takeover attack takes advantage of a total of three vulnerabilities in the DJI infrastructure, including a Secure Cookie bug in the DJI identification process, a cross-site scripting (XSS) flaw in its Forum and a SSL Pinning issue in its mobile app.
The first vulnerability, i.e. not having the “secure” and “httponly” cookie flag enabled, allowed attackers to steal login cookies of a user by injecting a malicious JavaScript into the DJI Forum website using the XSS vulnerability.
“To trigger this XSS attack all the attacker need do is to write a simple post in the DJI forum which would contain the link to the payload,” the researchers explained in a report published today.
“A user who logged into DJI Forum, then clicked a specially-planted malicious link, could have had his or her login credentials stolen to allow access to other DJI online assets,”
Once captured, the login cookies, which include authentication tokens, can then be re-used to take complete control over the user’s DJI Web Account, the DJI GO/4/pilot Mobile Applications and account on its centralized drone operations management platform called DJI Flighthub.
However, to access the compromised account on the DJI mobile apps, attackers have to first intercept the Mobile application traffic after bypassing its implementation of SSL pinning by performing man-in-the-middle (MitM) attack to the DJI server using Burp Suite.
“We also carried out further research and found that by parsing flight logs files we can get much more information such as location and angle of every picture taken during the drone’s flight, the drone’s home location, last known location and more,” researchers said.
DJI classified the vulnerability as “high risk—low probability,” because successful exploitation of the flaw required a user “to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum.”
DJI also said the company did not find any evidence of the flaw being exploited in the wild.
Check Point researchers reported the vulnerability to the DJI through its bug bounty program, but declined to reveal the financial reward offered to them. The DJI bug bounty program offers up to $30,000 in rewards for single vulnerabilities.
DJI has been facing scrutiny in the United States after the Department of Homeland Security (DHS) released a memo late last year accusing the company of sending sensitive information about the U.S. infrastructure to China through its commercial drones and software.
However, the drone maker denied the allegations, saying that the memo from the US government office was based on “clearly false and misleading claims.”
SEARCH TAGS: how to hack a bank account and withdraw money, how to hack a bank account software, bank hack add unlimited money, how to hack money into your bank account, how to hack your bank account and add money, bank hacking software, bank account hacking software, bank hack add unlimited money software, how to hack a bank account without software, how to hack a bank account and transfer money online pdf, hack money into your bank account, bank account password hacker software, bank transfer hacker, how to hack a bank account and withdraw money 2018, bank logins online shop, original bank hacking software, bank account hacking app, hack bank account software free download, hacking bank account app, hack bank account 2018, buy bank logins, bank account hacker app, dumps with pin, hack bank account software, hack a bank account software, bank logins shop, dumps with pin forum, hacked bank account list, hack bank account app, software for hacking bank account, bank hacker software, buy bank logins from hackers, hack bank software, bank account hack software free download, bitcoin hacking software, sbi bank account hack software download, hacker bank transfer, money hacker software, bank transfer hack, software to hack bank account, hack bank account numbers download, buy bank account logins, bank hack add unlimited money software download, bank hacking software download, bank hack add unlimited money 2018, bank account hacking apps, app for hacking bank account, hacking bank account software, bank logins for sale, bank logs for sale, bank hack add unlimited money download, app to hack bank account, how to hack a bank account 2018, bank account number hacking software, best site to buy bank logins, hacking a bank account software download, how to hacking bank account software, bank hacking app, hacking bank accounts online software, account hacking software, how to hack banking apps, bank account hack app, dumps with pin for sale, bank hack add unlimited money online, how to hack my bank account and add money, bank hacker software free download, bank logins, free credit card dumps with pin, bank logs shop, bitcoin hacker software, bank hack software, buy bank logs, how to hack into your bank account and add money, hack my bank account add money, money transfer hack, hacking of bank account software, bank account hacker software, bank account money hacking software, free bitcoin hack software, bank account hacking software download, bank hacking apps, btc hacking software, hacking money transfer software, buy bank logins shop, track 1 and 2 dumps with pin, bank transfer hackers forum, application for hacking bank account, hack money transfer, money hacking software, bank account hack software, online account hacking software, dump with pin
bitcoin hack software, bank hacking tools, bank account hacking software free download, bank login for sale, banking hacking software
online bank account hacking software, credit card dumps with pin, atm hacker software, how to hack a bank account and transfer money pdf
bank account hacker, hack bank logins, track 1&2 dumps with pin, buy bank login online, how to cash out bank logins 2018, buy bank login
free dumps with pin, check dumps without killing, hacker money transfer, how can i get a blank atm card, bank account hacker software free download, bank account hacker software download, hacked bank logins, apps to hack bank accounts, softwares for hacking bank accounts
bank accounts hacked 2018, buy bank logins online, bank logins for sell, how to program a blank atm card, best site to buy bank logins 2018
software to flash bank account, bank account hacking software free download full version, bank account hacker app download, hack bank transfers, debit card dumps with pin, blank atm card hack, hack money into my bank account, atm blank card, how to hack bank account
hacking bank account transfer money, bank account hacking tool, atm hacking software, how to hack money transfer, where to buy bank logs
dumps with pin legit, dumps with pins, atm hacker card, sbi account hacking software, bank login shop, apps for hacking bank account
bank accounts hacking software free download, hack any bank account online, how to hack bank accounts, add money to bank account hack
dumps track 1 and 2 with pin, aplikasi hacker bank, atm card hacking software, hack bank app, hacked bank account details, how to add money to your bank account hack, bitcoin hack generator, software hacker bank, bank account hacking tools, hack bank accounts software, hack bank account, online banking adder, legit dumps with pin, how to hack a bank account and transfer money in pakistan, hack bank account online, bitcoin wallet hacking software, bank hack add unlimited money.rar, buy bank logs online, how to get bank logs, dumps + pin, online bank hacking software download, online bank account hacking software free download, i need a blank atm card 2018 post comment
hack atm card, how to hack a bank account and withdraw money pdf, how to hack a bank server, 101 dumps with pin, how to hack bank server, what are bank logs, bank hack app, bank account adder, hacking bank account apps, buy bank logs with email access, online banking adder software free download, hacking bank account, how to hack a bank account and withdraw money 2017, software hack bitcoin, bank account logins for sale, cashout bank logins, how to hack money into my bank account, dump and pin, hacking software for bank accounts
how to hack a bank account, dumps with pin free, how to hack a bank account 2017
English
العربية
简体中文
Nederlands
Français
Deutsch
Italiano
Português
Русский
Español