Plus AWS creds, public-facing S3 buckets packed with info
By Gareth Corfield 16 Nov 2017
Chinese drone maker DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years, according to a researcher who gave up with the biz's bug bounty process.
By leaking the wildcard cert key, which covers *.dji.com, DJI gave miscreants the information needed to create spoof instances of the manufacturer's website with the correct HTTPS certificate, and silently redirect victims to the malicious forgeries and downloads via standard man-in-the-middle attacks. Hackers could also use the key to decrypt and tamper with intercepted network traffic to and from its web servers.
Full Article.