Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

Submission + - Malicious Websites Can Subvert Personal Routers

Apro+im writes: PCWorld is reporting: "If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code."

The root of the problem seems to stem from routers allowing GET requests to have side-effects, allowing attackers to change settings and then perform man-in-the middle attacks. Though the story and the linked paper (PDF) claim that routers with changed passwords are immune, a quick experiment shows that routers which use HTTP Authentication can be compromised the same way, if the user has logged into their router earlier in the browser session. Also, though the article says this is a Javascript exploit, it can actually be executed by any tag which allows the inclusion of a "src" element from another domain (e.g., "img").

Garbage In -- Gospel Out.

Working...