A major security vulnerability affecting Chinese drone company DJI could have led to hackers stealing personal data and even taking control of fleets of drones.
Security firm Check Point said Thursday that its researchers reported the security flaw to DJI in March, which resulted in DJI eventually fixing the vulnerability—spread across the company’s various websites and apps— by September. DJI said that hackers did not exploit the vulnerability and no customer data was stolen.
Oded Vanunu, Check Point Software head of products and vulnerability research, said that he wanted to probe possible security holes in DJI drones after some U.S. lawmakers alleged that the company’s drones could be used by the Chinese government to spy on critical infrastructure, a claim that DJI has denied.
Although the physical drone appeared secure, hackers could potentially gain control of the drones when exploiting flaws in the the way multiple DJI apps and services are tethered together. Some of DJI’s services include the FlightHub app that helps pilots manage and record the flight paths of multiple drones and software that lets people store their photos taken from their drone’s cameras in DJI’s servers.
In order to make it easier for people to automatically do tasks with their drones like taking photos, transferring those pictures to cloud storage, and recording flight logs, DJI users receive so-called “tokens” that allow them to access multiple apps and services without needing to manually log in, Vanunu said. Several major companies like Facebook also provide security “tokens” to people that help them log into other services like Instagram more easily, he explained.
Check Point then discovered an error in the DJI’s customer-facing forum website, in which people routinely post tips on how to fly drones or other musings.
Vanunu said Check Point created a malicious link that appeared to look like a normal link to a DJI website, like its online store. However, the link contained an extra bit of software code that exploited the forum website’s software flaw. If users were to have clicked on that link, they would have been redirected to the DJI online store seemingly unaware that behind the scenes, the extra software code in the link would have triggered the forum website to covertly send attackers a “cookie” that contained the users’ security keys. With the security keys, hackers could then steal data like photos, and even take control of drones in certain cases, he explained.
This type of “phishing” tactic is getting more prevalent Vanunu said, and hackers appear to be putting malicious links that look normal in various website forums, not just DJI.
While phishing attacks are not new, more security holes are opening up in apps as they get more complex in the way they are built and are connected to various other services. For instance, Vanunu likened the DJI security flaw to Facebook’s major data breach that affected up to 30 million people. In the Facebook breach, hackers were able to exploit three bugs in Facebook’s web infrastructure, that allowed them to access users’ software tokens, which could then be used to access personal data like emails from user accounts.
Get Data Sheet, Fortune’s technology newsletter.
We learned that this is something we need to share and make sure that consumers understand their privacy can be affected,” Vanunu said of reporting the bug to DJI.
Although DJI requires people to submit software bugs they discover to the company’s bug-bounty program, Vanunu said Check Point did not take a financial reward like what’s typical in those kinds of security programs, which are intended to spur outside coders to spot errors companies may have overlooked.
“We applaud the expertise Check Point researchers demonstrated through the responsible disclosure of a potentially critical vulnerability,” DJI vice president and country manager of North America Mario Rebello in a statement.
