Luckily no one else spotted flaw before we did, say infosec bods who reported vuln
Chinese drone giant DJI has fixed a critical security hole that left its customer account data and quadcopter videos potentially up for grabs.
From March through September this year, DJI’s customer records, many of which include sensitive data from drone flights, video footage, and owners’ personal details, could have been stolen by online attackers.
Check Point security researchers this week said they found it was possible to steal account login credentials from DJI’s customers, and use those secret keys to swipe info from the victims’ accounts.
Specifically, the team found that, after logging in, DJI’s web servers send your browser a cookie called _meta_key, which is used to access its various platforms, which include its website, mobile app, and enterprise service. If you supply someone’s _meta_key token to DJI’s apps or site, you effectively masquerade as that person.
After finding that a HTTP GET request to a /mobile.php URL returned the logged-in user’s _meta_key cookie, the team realized if they can somehow get a user to inadvertently fetch that URL, they could obtain the magic cookie to unlock their mark’s account.
And sure enough, they were able to use cross-site scripting (XSS) to trick a victim’s browser into accessing that URL, and send the fetched access token to the attacker using some crafty JavaScript. The team – Oded Vanun, Dikla Barda and Roman Zaikin – said their technique could also bypass XSS protections in browsers.
Here’s how that XSS would work: the thief would post on the DJI forums a malicious yet inviting link that, when clicked on by a curious logged-in user, would in actual fact request the aforementioned mobile.php and direct the returned _meta_key cookie to a web server of the hacker’s choosing. That would place the key in the hands of the miscreant, who would then use it to raid the mark’s account.
