Optus has patched a vulnerability in its popular routers that allowed attackers to change administrative passwords without knowing the existing logins.
The flaw, reported by The Register, exists in the CG3000v2 cable modem and means attackers could type anything into the current password field to change the code to one of their choice.
University of Sydney tech Paul Szabo says attackers could use cross-site request forgery phishing links to change victim passwords.
"The fault is that the admin password can be changed on the web interface without providing the current password," Szabo told Vulture South last month.
"The page http://192.168.0.1/SetPassword.asp prompts for old and new password (and repeat of new), but in fact ignores the old password provided, and changes the password to the new one, regardless. This issue could be exploited via CSRF to change the password while the user happens to be logged in."
Optus began investigating the flaw after inquiries by this publication and asked vendor NetGear to come up with a fix.
Szabo says the telco pushed a fix to his router which closed off the hole.
"[Optus] developed a new firmware and installed it on my modem, and that solves the issue I reported," Szabo says.
The fixed router version is V2.08.05.
The vulnerability however could be considered excessive; most users would not bother to change passwords from the default of username 'admin' and password of 'password.' Indeed the basic manual [PDF] does not tell users to change their login credentials. ®