Some bugs are very strange and dangerous, this is the case of a flaw affecting the TP-Link’s M5350 3G/Wi-Fi router that can expose admin credentials to an evil text message.
The bug was discovered by the security researcher Jan Hörsch from the German firm Securai, basically, it is a cross-site scripting (XSS) vulnerability that could be exploited by an attacker by simply sending an SMS containing the following attack script:
“Among other things, he showed that the mobile router from TP-Link M5350 is permanently vulnerable to cross-site scripting, which is triggered by SMS. If an attacker sends an SMS with the appropriate content, the router answers with the login data of the admin – including the password in the plaintext.” reported the Heise.de.
Hörsch conducted an intensive research on various Internet-of-Things devices discovering multiple vulnerabilities. He analyzed the firmware running on several smart objects and discovered multiple bugs easy to exploit, the results of the research were presented at the recent Kaspersky Security Analyst Summit.
The flaw in the TP-Link’s M5350 3G/Wi-Fi modem appears like a feature created by developers, likely for testing purposes, unfortunately, it wasn’t removed in production.
The device’s admin credentials can be retrieved by an attacker with a simple text message, the router replies with admin username, admin password, its SSID, and its login password.
It is unlikely that the bug has been fixed by TP-Link, giving a look at the firmware download page for the TP-Link M5350 it is possible to verify that the most-recent version for the flawed device is M5350_V2_140115, released in January 2015.
Hörsch also analyzed a Panasonic BM ET200 retina scanner and a Startech modem, both devices affected by flaws.
(Security Affairs – TP-Link M5350, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.