Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security

Submission + - Malicious Websites Can Subvert Personal Routers

Apro+im writes: PCWorld is reporting: "If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code."

The root of the problem seems to stem from routers allowing GET requests to have side-effects, allowing attackers to change settings and then perform man-in-the middle attacks. Though the story and the linked paper (PDF) claim that routers with changed passwords are immune, a quick experiment shows that routers which use HTTP Authentication can be compromised the same way, if the user has logged into their router earlier in the browser session. Also, though the article says this is a Javascript exploit, it can actually be executed by any tag which allows the inclusion of a "src" element from another domain (e.g., "img").

Whenever people agree with me, I always think I must be wrong. - Oscar Wilde

Working...