Researcher: DJI RCE-holes offered me $500 after I found Heartbleed etc on its servers
Keep your money, says chap (tho Chinese drone firm did patch 'em right quick)
Updated Chinese drone-maker DJI’s bug bounty programme has been struck with fresh controversy after a security researcher claimed he was offered just $500 for reporting, among others, the years-old Heartbleed vulnerability.
Infosec chap Sean Melia – no stranger to bug bounty programmes – said he discovered that DJI’s servers not only had not been patched against Heartbleed, the OpenSSL bug revealed in 2014, but were also vulnerable to SQL code injection attacks and remote code execution with root privileges.
Melia told El Reg an attacker could have “captured plaintext session cookies for users and dropped in as their account”. He also described how the SQL injection attack gave “full access to the purchase order database and full access within the application itself to all purchase orders.”
After reporting the "severe vulnerabilities" to DJI, Melia claimed he was offered $500 through the company’s bug bounty scheme. He told us that Heartbleed, the SQL injection vuln and the parameter manipulation flaw were all patched on the same day he reported them, though the remote code execution vuln “took them a few more days”.
“I declined the payment and basically told them they should not have a bug bounty programme,” Melia added to El Reg.
Most companies who “roll their own” bug bounty program don’t do it properly from my experiences. FB, MS, google, etc are obvious exceptions. Those companies have mature security teams. DJI on the other hand.. :)— Sean Melia (@seanmeals) November 27, 2017
He claimed that, based on DJI's own guide to bug bounty payouts, he would have expected "$16k minimum". The remote code execution vuln and Heartbleed both appear to fall within the "critical" category of vulns "that could cause leaks of a substantial amount of user data" or a "substantial amount of crucial servers being controlled", qualifying for a minimum payout of $5,000 each, while the parameter manipulation attack appears to qualify for the "high" category, meaning a minimum $1,000 payout.
Previously, DJI left the keys to its virtual castle lying around on Github for years. Infosec researcher Kevin Finisterre previously turned down a $30,000 bug bounty over what he described as thinly veiled threats by the Chinese-headquartered company, an accusation it denies. The company has since announced in a press release that it fired two developers responsible for the blunder.
While DJI has been at pains to tell El Reg that it collects very little personal data from its customers and drone operators, finding private keys on Github and years-old bugs on its servers that expose purchase orders and customers' personal data should not be happening to a company which presents itself as a successful multinational.
British military, police and security forces all use DJI products.
Finisterre has since faced a barrage of accusations from DJI, including press statements from the company pouring scorn on his employer, drone detection company Department 13, including mentions of its stock price and the list price of its flagship product. DJI and Department 13 compete in the drone detection market.
At no point was Finisterre’s research into DJI vulnerabilities carried out under Department 13’s auspices, he told us.
DJI was unable to comment by the time of writing. ®
DJI contacted us to say that Melia had signed their bug bounty terms and conditions, and therefore had broken them by speaking publicly about his findings. The company also said he had not disclosed all of the vulnerabilities mentioned in this article to them and that some of what he had disclosed had previously been reported to them, without adding further specifics. Melia told El Reg this was "not true at all" and that he "was 100 per cent transparent in the process and reported the vulnerabilities as quickly as I could to them".
"The offered reward was adequate to the reported issues," said DJI spokeswoman Barbara Stelzner, who added that Kevin Finisterre, the first researcher to go public with his experience of DJI, had used his work email address to contact the firm.