There are two sides to every story. Yesterday we posted DJI’s response to the Data Security Issue. Today we want to show you another opinion, which we found on ZDNet.
The following article discusses how a researcher has discarded $30,000 to ensure there is full public disclosure of the drone maker’s poor security and revealing how not every bug bounty hunt ends well.
An exasperated bug bounty hunter has revealed that drone maker DJI left everything from AWS credentials to private SSL keys on public forums.
As reported by the Register, security researcher Kevin Finisterre discovered the Chinese firm had left the private keys of the DJI HTTPS domain on GitHub, exposed for all to see for roughly four years.
To make matters worse, DJI had also made AWS credentials and firmware AES keys available for anyone to search for through the GitHub repository.
Given these tools, as summarized by the researcher as a “full infrastructure compromise,” a cyberattacker could have free reign to cause utter havoc for DJI, stealing data, compromising systems, and much more.
The problems started in August, when the Chinese firm announced a bug bounty program that invited external researchers to find, submit, and be rewarded for responsibly disclosing vulnerabilities in the company’s products. Continue reading about the bug bounty hunter.