Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Eircom router plaintext password accessible to anyone!!!

  • 02-12-2014 11:27am
    #1
    Registered Users, Registered Users 2 Posts: 990 ✭✭✭


    Hi Eircom,

    Go to the login screen of a D1000 router, and view the source code of the login screen page (right click -> View Page Source, or similar).

    You'll find this JS function:
    function DefaultPasswdNote_check()
    {
    var random_passwd = "4c5125eff3a7";
    var current_passwd = "YOURPASSWORDWILLBEHERE";
    // alert(current_passwd + " "+random_passwd);
    if(current_passwd != random_passwd ){
       $("#defaultPassNote").hide();
    }
    }  


    Where I have written YOURPASSWORDWILLBEHERE, you will find your admin login password. It's actually how I remembered mine (that was handy).

    So people's admin passwords are accessible and viewable by anyone with access to 192.168.1.254, which, by default, you expose to the outside internet.

    Please tell I am seeing things.


    Regards,
    rat_race


Comments

  • Registered Users, Registered Users 2 Posts: 1,726 ✭✭✭gerryk


    Haha... that's hilarious. Or it would be if it wasn't so terrifying.


  • Registered Users, Registered Users 2 Posts: 9,222 ✭✭✭Tow


    It is may as well be broadcasting your password in its ssid :-)

    When is the money (including lost growth) Michael Noonan took in the Pension Levy going to be paid back?



  • Registered Users, Registered Users 2 Posts: 990 ✭✭✭rat_race


    Eircom, any response? 

    Thanks.


  • Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Visible to anyone? Am I missing something here, anyone who can access your routers login page on a local ip is already on your lan


  • Registered Users, Registered Users 2 Posts: 30 V6DEC


    This post isn't 100% correct. In order to view the admin password you first of all need to be granted access to the local LAN either via a wired or wifi connection inc. wireless protocol authentication. It is not possible to view the admin password from the WAN/Internet side which the initial post indicates. Also it is worth a mention that many high end modems (and other devices such as cctv etc.) ship by default with admin/admin for the user/pass so that to me is a bigger security issue so at least Eircom seem to have unique passwords for their modems.
    The important point here is that the WAN/Internet admin screen isn't exposed so for that reason the post is really inaccurate and nothing worth loosing any sleep over.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 740 ✭✭✭Aka Ishur


    V6DEC wrote: »
     seem to have unique passwords for their modems.
    The important point here is that the WAN/Internet admin screen isn't exposed so for that reason the post is really inaccurate and nothing worth loosing any sleep over.
    It is as V6 said, only available to people already on the network, but I hope cafés etc who share out the pw to customers see this. Quite a major vulnerability.


  • Closed Accounts Posts: 6,831 ✭✭✭eircom: Alan


    rat_race wrote: »
    Hi Eircom,

    Go to the login screen of a D1000 router, and view the source code of the login screen page (right click -> View Page Source, or similar).

    You'll find this JS function:
    function DefaultPasswdNote_check()
    {
    var random_passwd = "4c5125eff3a7";
    var current_passwd = "YOURPASSWORDWILLBEHERE";
    // alert(current_passwd + " "+random_passwd);
    if(current_passwd != random_passwd ){
       $("#defaultPassNote").hide();
    }
    }  


    Where I have written YOURPASSWORDWILLBEHERE, you will find your admin login password. It's actually how I remembered mine (that was handy).

    So people's admin passwords are accessible and viewable by anyone with access to 192.168.1.254, which, by default, you expose to the outside internet.

    Please tell I am seeing things.


    Regards,
    rat_race

    Hi Rat_Race
     
    Thanks for your post and bringing this issue to our attention.
     
    We have been advised that the relevant hardware partner has been engaged to investigate the points raised in your post.
     

    To add a little more information on this we can confirm that


     

    ·         Access to the login screen of the D100 router is not accessible from the Internet by default.



    ·         Access is limited to either wired devices in the home or wireless devices configured with the appropriate SSID and encryption key.



    ·         Wireless broadcasts or beacons do not contain passwords.
     
    If you do have any further questions on this just let us know.
     
    Thanks
     
    Al
     


Advertisement