DJI Patches Forum Bug That Allowed Drone Account Takeovers

Leading commercial drone maker DJI patched a cross-site scripting bug impacting its forums that could have allowed a hacker to hijack user accounts and gain access to sensitive online data, ranging from flight images, bank card data, flight records and even real time camera images.

The vulnerability is significant given DJI’s estimated 70 percent market share of the commercial and consumer market, according to IDC researchers, who pointed out that “[s]ectors ranging for energy, government and public safety could potentially have their entire drone programs exposed.” Check Point publicly disclosed the bug Thursday. Researchers said they found the flaw in March. DJI said it fixed the forum vulnerability in September.

Read more about the DJI drone bug on Threatpost.