TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares.
In what looks like a feature created for developers' convenience, but left behind when it should have been deleted, the device's admin credentials can be retrieved by text message.
The discoverer of the bug, a German company called Securai, told Heise.de the issue as a cross-site scripting (XSS) bug triggered by an SMS containing the following attack script:
The device replies with admin username, admin password, its SSID, and its login password.
In the Heise.de piece, Securai's Jan Hörsch said he discovered the bug by analysing the modem's firmware.
It's unlikely that the vulnerability has been patched, since according to TP-Link's current firmware download page for the M5350, the most-current version is M5350_V2_140115, released in January 2015.
The bugs were revealed at last week's Kaspersky Security Analyst Summit. ®