TP-Link forgets to register domain name, leaves config pages open to hijack

TP-Link logoIn common with many other vendors, TP-Link, one of the world's biggest sellers of Wi-Fi access points and home routers, has a domain name that owners of the hardware can use to quickly get to their router's configuration page. Unlike most other vendors, however, it appears that TP-Link has failed to renew its registration for the domain, leaving it available for anyone to buy. Any owner of the domain could feasibly use it for fake administration pages to phish credentials or upload bogus firmware. This omission was spotted by Amitay Dan, CEO of Cybermoon, and posted to the Bugtraq mailing list last week.

Two domain names used by TP-Link appear to be affected. tplinklogin-dot-net was used, according to TP-Link, on devices sold until 2014. On initial setup, while the router's Internet connection is still offline, the domain name will be trapped automatically and correctly send users to the router's configuration page. But subsequent visits to the configuration page can use the real Internet DNS system to resolve the address, and hence those routers are susceptible to being hijacked. A second TP-Link domain name, tplinkextender-dot-net, was used by TP-Link wireless range extenders and is similarly vulnerable.

The domain name's new owners want $2.5 million to give it back

Together, these domain names appear to be quite busy; estimates based on Alexa's ranking suggest that tplinklogin-dot-net sees about 4.4 million visits per month, with another 800,000 for tplinkextender-dot-net. It's not known who the new owner of the domains is, but Dan tweeted that domain name brokers are offering the more popular of the two for $2.5 million. This high price tag is perhaps why TP-Link has declined to buy the name back.

New TP-Link devices use tplinkwifi-dot-net and tplinkrepeater-dot-net as their configuration URLs for access points and range extenders, respectively. Dan says that TP-Link stopped communicating with him after changing references to the bad domain names from their manuals to use the new domain names as a partial fix. This does nothing to alter the stickers found on the backs or bottoms of affected devices that continue to reference the unregistered domains. There are also still references to the old domain names on TP-Link's website.

Source: Ars Technica

Tags: domains

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Sales of new models way below those of 2017 generation
 
The new Windows 10 browser will run on the Chromium engine
 
Google will shut the service down in April of 2019 instead of August as initially planned
 
The regular S10 will sport a 6.1-inch panel with the same front-facing camera design
 
The smartphone has a 6.4-inch Full HD+ (2340 x 1080 pixel) Infinity-O display
 
Google Play Services will deprecate the aging OS in newer releases
 
Apple might be looking to trial the feature on the iPad before iPhone
 
Toshiba, which released the world’s first 14TB nearline 3.5-inch and 26.1mm-height HDDs with 9-disk
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
      1
2345678
9101112131415
16171819202122
23242526272829
3031     




Poll

Do you use microSD card with your phone?
or leave your own version in comments (11)