Researcher Gets Threats Instead of Bug Bounty

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
10,566
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains. When he approached the company as part of their bug bounty program he was threatened by DJL lawyers instead of getting the money he should have received for his work. As a result he publicly published his findings. Anyway, it really sounds like DJI isn't a company to be trusted. Thanks, gxp500!

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).
 

Stimpy88

[H]ard|Gawd
Joined
Feb 18, 2004
Messages
1,271
Americans would rather trust their personal information to Korean and Chinese companies, just because American companies charge a couple of Dollars more, due to the higher overheads they face... That few Dollars you just saved, was the price of your privacy, and your country's economy! lol
 

westrock2000

[H]F Junkie
Joined
Jun 3, 2005
Messages
9,305
Poor guy, he put a down payment on a Tesla 3 and everything cause he knew he was gonna win. But now he doesn't get the Tesla he is entitled to.

Poor guy.
 

westrock2000

[H]F Junkie
Joined
Jun 3, 2005
Messages
9,305
I also like that he starts off the article with you normies probably don't pay attention to legal documents but I do because I'm a researcher, so let me tell how dumb they were. And then at the end he is complaining how he missed a big part of agreement and that it's not his fault, it was an honest mistake.
 

Wrecked Em

Supreme [H]ardness
Joined
Sep 14, 2004
Messages
7,344
He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

The plot thickens.
 

viper1152012

[H]ard|Gawd
Joined
Jun 20, 2012
Messages
1,025
Member when you chases that squirrel and ran your drone into that transformer and blacked out the neighborhood.... DJI remembers
 

AceGoober

Live! Laug[H]! Overclock!
Joined
Jun 25, 2003
Messages
23,577
By 11?

He learned through a DJI modders' Slack channel that some DJI AWS accounts were set to be publicly accessible, and the "buckets" included "all attachments to the service e-mails they receive… images of damaged drones… receipt and other personal data… and 'occasional photos of people cut by propellers.'"

The plot thickens.

Good on him. The contract was iffy and would have cost him more than the bug bounty paid in the long run.
 

DarkStar_WNY

2[H]4U
Joined
Dec 27, 2006
Messages
2,362
Americans would rather trust their personal information to Korean and Chinese companies, just because American companies charge a couple of Dollars more, due to the higher overheads they face... That few Dollars you just saved, was the price of your privacy, and your country's economy! lol

Do you really think US companies are any better at protecting your privacy?

First we have our own government being hacked, including the NSA & CIA are two among many, not to mention IRS workers loosing laptops with millions of taxpayer's data on them. Then we had retailers like Target & Home Depot getting hacked and giving access to 10's of millions of customers data, but of course banks one upped them and JPMorgan and others were hacked, but of course all those were made meaningless by the Equifax hack since this is the company all those other companies check with before giving you any sort of credit, and they have info on you that even Google can only dream of, but of course now, thanks to these US companies, so do whoever hacked them and of course whoever they sold the info to.

Care to resume your "spend the extra for US companies to keep your info secure" rant?
 

w4ffles

2[H]4U
Joined
Mar 13, 2008
Messages
2,315
A friend of a friend had a sudden power failure on his DJI drone which resulted in it plummeting to the ground and being destroyed. DJI said that they'll only look at the flight log AFTER the warranty period is over. Fuck em.
 
Top