NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
RBR850 Web User Interface no longer requires a password to access
For a long time, when I tried to connect to my Orbi RBR850 web user interface from my browser, I was getting an "unable to connect" error, which I believe was a very common problem for a while.
I assume I recently received the update to fix that issue, as described in this post: https://community.netgear.com/t5/Orbi-WiFi-6-AX-and-WiFi-6E-AXE/NETGEAR-is-rolling-out-a-fix-for-an-issue-affecting-the-Orbi/m-p/2226436
...and I can access the web user interface now. Unfortunately it's way too easy to access the web user interface now, as I am never prompted to provide a password.
Even if I click logout, when I go back to the router's IP address in my browser, I'm right on the main menu with full access, no login required.
Accessing the router from the smartphone app still requires a login, so the information is there, and I tried setting the password again and rebooting the router, but I can still get in without needing to provide any login credentials.
And this was all from a new laptop that I bought recently that had never connected successfully to that UI prior to this, so it's not a case of something being locally cached.
I feel like this seems like it might possibly be a bit of a security hole.
ChristineT ?
I think I have vague idea of what is going on.
So first off, clearing cache and cookies did not do anything.
I tried with the Edge browser (My main browser is Chrome), and that did work correctly: was prompted for login. And after clicking logout and trying again, was prompted for login again.
I realized that I have Google Sync turned on in my Chrome environment. So I opened a new browser window under a guest profile and this time I was correctly prompted for login, and clicking logout also worked correctly, forcing me to need to login again.
So I'm guessing that there is something with Google Sync that is somehow over-aggressively preserving my credentials (it isn't a "saved passwords" thing, I do not save passwords in the browser or in GoogleSync; I have a separate password manager for that, and that one isn't even capable of detecting the login modal that the Orbi UI uses instead of a login webpage anyway).
It's extremely odd and slightly troubling, but at least I'm confident that it's not a gaping hole; it's not like anyone from the outside, or even on my network, will be let through into the router UI; it seems that it's only a browser that is logged into my personal GoogleSync account is going to be able to get in; and that's at least as secure as (if not more than) the login for the UI.
EDIT TO ADD: My firmware is V4.6.8.2_2.1.9, in case that matters.
5 Replies
Be sure to clear out your broswer caches and if you happend to let your browser remember the RBR log in information, this would be the only reason why your browser is not showing a log in popup window.
Try a different browser as well. I use MS Edge all the time and always get a log in popup.
I think that is the entire point of the post. Even when the web browser has cached the login credentials ('admin' and password), the Orbi web interface always pops up the login box. If it does not, there is something different.
There are other web sites which remember a user, probably by storing a cookie, and know who the user is without asking. The Orbi web interface has never done that.
Another experiment would be to bring up the Orbi Attached Devices page and leave it open. After a certain number of minutes, that login prompt is supposed to pop up again. (This annoys me a lot because I may be typing something in a different browser window and when that prompt pops up, what I am typing going into the "admin" part of the pop up and I have to erase it and put "admin" back in. - while swearing.)
If some time goes by and that popup window never appears, that is further evidence of something different going on.
I do not have an 850 with this firmware, and thus cannot test what happens myself.
I think I have vague idea of what is going on.
So first off, clearing cache and cookies did not do anything.
I tried with the Edge browser (My main browser is Chrome), and that did work correctly: was prompted for login. And after clicking logout and trying again, was prompted for login again.
I realized that I have Google Sync turned on in my Chrome environment. So I opened a new browser window under a guest profile and this time I was correctly prompted for login, and clicking logout also worked correctly, forcing me to need to login again.
So I'm guessing that there is something with Google Sync that is somehow over-aggressively preserving my credentials (it isn't a "saved passwords" thing, I do not save passwords in the browser or in GoogleSync; I have a separate password manager for that, and that one isn't even capable of detecting the login modal that the Orbi UI uses instead of a login webpage anyway).
It's extremely odd and slightly troubling, but at least I'm confident that it's not a gaping hole; it's not like anyone from the outside, or even on my network, will be let through into the router UI; it seems that it's only a browser that is logged into my personal GoogleSync account is going to be able to get in; and that's at least as secure as (if not more than) the login for the UI.
EDIT TO ADD: My firmware is V4.6.8.2_2.1.9, in case that matters.
This is all on one computer, correct?
Another 'feature' of the Orbi web interface is that it allows connection from only one IP address at a time..
Some browsers may have some automatition in this to "more conveiently" allow users to log into different sites and deal with logs in. I would not think its is a security hole rather a possible browser feature that with Google seems to work as intended for there browser. Weather not not NG wants to try to prevent this or disallow this, would be up to them. I don't use Google for certain reasons. All that is a Google feature and they would be ones to check into this. I presume this maybe handling other sites similarly as well.
I use MS Edge, FireFox and Opera which have a Chrome engine, however doesn't have same features as Googles. They all allow me to save the log in information, if I choose too, however each time I hit ANY routers web page, the log in pops up.
