This article is a great example why you should use your own router instead of ISP provided one

  • gravitas_deficiency@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    5
    ·
    10 months ago
    lol holy shit

    The only thing in the above parameter that was valid was the device serial number. If this request worked, it meant that I could use an “encryptedValue” parameter in the API that didn’t have to have a matching account ID.

    I sent the request and saw the exact same HTTP response as above! This confirmed that we didn’t need any extra parameters, we could just query any hardware device arbitrarily by just knowing the MAC address (something that we could retrieve by querying a customer by name, fetching their account UUID, then fetching all of their connected devices via their UUID). We now had essentially a full kill chain.

    And then he proceeds to make arbitrary changes to his own modem via this exploit as a final proof. Jesus tapdancing christ.

  • Wispy2891@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    10 months ago

    I’m not a programmer but is it normal that the login page contains the whole main JavaScript code of a logged in user?

    Also, what’s the point of having this kind of client side api? Because you can never trust the client shouldn’t be everything server side and only return a html page with the data related to your account?

    • moira@femboys.barOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      10 months ago

      It doesn’t matter that website loads javascript code for logged in user, as you need a token (which server will give you after a successful login) to authenticate to apis, it is pretty common to do that way

      There wasn’t a client side API, but the API was missing crucial validation of user input (eg only checking the mac address but didn’t check who is actually authenticated)