Researcher Gets Threats Instead of Bug Bounty

DooKey

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,551
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains. When he approached the company as part of their bug bounty program he was threatened by DJL lawyers instead of getting the money he should have received for his work. As a result he publicly published his findings. Anyway, it really sounds like DJI isn't a company to be trusted. Thanks, gxp500!

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).
 
Americans would rather trust their personal information to Korean and Chinese companies, just because American companies charge a couple of Dollars more, due to the higher overheads they face... That few Dollars you just saved, was the price of your privacy, and your country's economy! lol
 
Poor guy, he put a down payment on a Tesla 3 and everything cause he knew he was gonna win. But now he doesn't get the Tesla he is entitled to.

Poor guy.
 
I also like that he starts off the article with you normies probably don't pay attention to legal documents but I do because I'm a researcher, so let me tell how dumb they were. And then at the end he is complaining how he missed a big part of agreement and that it's not his fault, it was an honest mistake.
 
He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

The plot thickens.
 
Member when you chases that squirrel and ran your drone into that transformer and blacked out the neighborhood.... DJI remembers
 
By 11?

Wrecked Em said:
He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

The plot thickens.
Click to expand...

Good on him. The contract was iffy and would have cost him more than the bug bounty paid in the long run.
 
Stimpy88 said:
Americans would rather trust their personal information to Korean and Chinese companies, just because American companies charge a couple of Dollars more, due to the higher overheads they face... That few Dollars you just saved, was the price of your privacy, and your country's economy! lol
Click to expand...

Do you really think US companies are any better at protecting your privacy?

First we have our own government being hacked, including the NSA & CIA are two among many, not to mention IRS workers loosing laptops with millions of taxpayer's data on them. Then we had retailers like Target & Home Depot getting hacked and giving access to 10's of millions of customers data, but of course banks one upped them and JPMorgan and others were hacked, but of course all those were made meaningless by the Equifax hack since this is the company all those other companies check with before giving you any sort of credit, and they have info on you that even Google can only dream of, but of course now, thanks to these US companies, so do whoever hacked them and of course whoever they sold the info to.

Care to resume your "spend the extra for US companies to keep your info secure" rant?
 
A friend of a friend had a sudden power failure on his DJI drone which resulted in it plummeting to the ground and being destroyed. DJI said that they'll only look at the flight log AFTER the warranty period is over. Fuck em.
 
You must log in or register to reply here.
Back
Top