DJI Drone Web App Security Flaw Could Let Attackers Take Over Drones

  • 186
  •  
  •  
  •  
  •  
  •  
  •  
    186
    Shares

Researchers have discovered a serious problem that threatens the security of business enterprises as well as individuals. They have found security vulnerabilities in DJI drone web app which could trigger remote hacks. Exploiting this vulnerability could let an attacker gain access to users’ accounts and pilfer the data.

Security Vulnerability Discovered In The DJI Drone Web App

Reportedly, Check Point Research recently discovered a security vulnerability targeting DJI drones. The flaw existed in the DJI drone web app. Exploiting this vulnerability could allow an attacker to gain access to the victim’s DJI account with no alert. They have shared their findings in a separate report.

As discovered by the researchers, the vulnerability resided in the DJI identification process, allowing an attacker to hack a target account. As explained by CPR,

“DJI uses a cookie that the attacker can obtain to identify a user and create tokens, or tickets, to access their platforms. Through the use of this cookie, an attacker is able to simply hijack any user’s account and take complete control over any of the user’s DJI Mobile Apps, Web Account or DJI FlightHub account.”

Exploiting the bug required no special tactics. Rather a user could fall victim to a potential attacker by simply clicking on a malicious link shared in the attacker’s post on the DJI forum.  This would eventually result in a cross-site scripting (XSS) attack, letting the attacker access victim’s account.

The hack could expose sensitive data to the hackers, such as photos and videos taken by the drone, drone’s flight logs, live map and camera view, and the victim’s profile information.

DJI Released Patch

Check Point Researchers first discovered the vulnerability in March. They then informed DJI of their findings immediately. However, since the vendors took about six months to patch the flaw, the researchers did not disclose their findings until recently.

According to CPR, DJI adequately responded to their report. However, while they acknowledged the high-risk factor of the bug, they deemed it a low probability flaw owing to the trickiness of the exploit methods.

Moreover, DJI confirmed that the flaw remained unexploited.

Take your time to comment on this article.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!