Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.
Model Name BiPAC 8800NL
Software Version 2.32e
Push service sending password in clear text
-
billion_fan
- Posts: 5398
- Joined: Tue Jul 19, 2011 4:30 pm
Re: Push service sending password in clear text
I asked our engineers and they have stated the followingnoriga wrote: ↑Tue May 05, 2020 6:29 pm Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.
Model Name BiPAC 8800NL
Software Version 2.32e
Push Service is for Diagnostics purposes only and this feature is to aid our engineers in the debugging process (when there is a issue with the router)
-
noriga
- Posts: 39
- Joined: Wed Jul 30, 2014 8:51 pm
Re: Push service sending password in clear text
I understand this but debugging should not expose your passwords even to your engineers and more important in the case of a man in the middle attack or by ssl being compromised in your email system, that's also means your passwords have gone all over the place.