NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Web GUI Password Recovery and Exposure Security Vulnerability
I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question can be answered by scanning my Facebook page for a few minutes. And no, it's not "save me from myself". My older sister does a lot of geneology on the family and posts everything there. I have no issues with that. She enjoys doing it and my family likes the pictures and stories of previous generations. However first names, middle names, place born, etc. are all there.
I have two suggestions: a) Ability to add your own question/answer couplet and b) Some kind of 2FA.
Hi All,
Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.
48 Replies
THIS IS A SCAM--IGNORE IT
I was on the phone with Tech Support to confirm the vulnerability and was informed the current email circulating about the vulnerability did not come from Netgear and is a scam!!! I must have asked him 10 times to be certain.
Does Netgear's left hand know what the right hand is doing????
The email account from which it came has been closed.
That sounds believable but the original warning is posted by the Community Manager (ChristineT) on this very site: https://community.netgear.com/t5/Nighthawk-WiFi-Routers/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability/m-p/1104237#M34308 So if Support is telling you it is scam they better check employee badges because they've been infiltrated.
Well the "Official" Poster may have received the email and is not invulnerable to a scam. Would be nice to get a definitive answer.
As you can see I have never posted here previously but registered today after speaking to Tech Support. Was shocked to see the "badges"'s: OP.
I am still genuinely concerned about this issue.
Support may be misinformed but I doubt they have been infiltrated.
Does The CM Monitor all threads?
hawki wrote:THIS IS A SCAM--IGNORE IT
I was beginning to feel deprived. I haven't seen this email.
My first thought whenever I see one of these message is scam.
If I want to do anything, I go to find the official source. I certainly don't start slagging off whoever is supposed to be the source of the email.
After all, would you ever follow the advice in emails from your bank?
I considered Netgear's Telephone Tech Support to be a reliable source. They told me to ignore the email because it was a scam. That was my mistake.
The Community Manger has confirmed that the email is valid.
I have no checkbox in my GUI to enable "Enable PW Recovery."
I received the email TWO MONTHS after the vulnerability was discovered.
JohnWDarby wrote:Every single question can be answered by scanning my Facebook page for a few minutes.
Good point, but you could always create fake answers.
Then again, the sort of person who forgets passwords may also forget fake answers.
Netgear's customer support policy leaves a lot to be desired, but on the issue of taking two months to inform customers about this vulnerability, it is not necessarily unreasonable.
What!?! How can that be? When it comes to a security vulnerability, it's counter productive to make a public announcement until one is sure that the vulnerability is real and, ideally, one has a fix available. The last thing you want to do is tell every hacker in the world that you have an unpatched flaw with no fix in sight.
Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!
In the security industry, it's common for white hat hackers to quietly work with companies to fix vulnerabilities. This process takes time. White hats will often prescribe a certain amount of time before they publicize a bug. This is done to incentivize a company to not drag its feet. It's possible that Netgear took too long, or perhaps the news simply leaked out and that were forced to make a public statement.
Do you have a right to be frustrated? Sure. But hopefully you can see the other side of the coin.
This particular bug is similar to other bugs in that it requires a hacker to already have inside access to your network in order to attack your router. If a hacker has access to your network, you have already lost the war. Who cares about the battle over your router? Actually, you should care, but I hope you get my point.
For this reason, I've been advocating in other threads to not enable password recovery. I do not represent Netgear and this advice is my own. Use it at your own risk.
TheEther wrote:Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!
Even when they do happen, recalls in this sector are phased. They don't call up all cars immediately.
The urgency depends on the severity of the issue. Something that has minimal safety implications can wait.
Likewise with IT stuff. If a bug means that planes could fall out of the sky, there is a rush to fix it. If it just means a few sleepless nights for the terminally paranoid, what's the hurry?
michaelkenward:
My reference to auto recalls was in the context of complaining about the cost to get help to fix the vulnerability (in my case $50) since my Wifi Cable Router Gateway was purchased12 months ago. I will neeed heed help since my Netgear GUI Change PW Page has no checkmark box to "enable PW Recovery."
I was not using the auto recall analogy as a standard for the length of time from discovery of a defect to customer notification. I was using it as a comparable case of manufacurer cost responsibility for a defect. I am highly security aware and have a triple layered security set up and use two on demand second opinion security scanners. I keep current on security and internet privacy news on an hourly basis, I am not aware of Netgear having issued a press release on this vulnerablity as other security and hardware companies do. The way Netgear handled this Vulnerabilty is Shameful: Unaware Tech Support giving out potentially disasterous misinformation; email Notification to me two months after it was posted in The Security Advisory Section; a fix that myself and others, as reported on this forum, can not make and a totally non-responsive answer to a filed emailed support ticket.
I did submit a case ticket by email that is limited to 150 characters. I stated my problem to be that I had no "enable PW Recovery" box on my Change PW Page to enable PW Recovery,the suggested security fix"
I received response similar to the following. It was totally unresponsive to me question.. "To change your password go to the change PW page, enter your new PW,confirm the new PW, click OK,close GUI." NADA about how to find the "enable PW Recovery box."
Netgear's approach in its handling of this matter is an inexusable disgrace.
hawkeye
Hello ThEther :-)
I agree that a company needs time, perhaps several months to investigate the cause and extent of a vulnerability or security breach before notifying affected customers.
BUT that is not what happened here. The Security Notice on the Netgear Website was posted in early May (This morning that page was taken down with a notation that it may be in the process of being modified.) If you look througth the comments you will see that many rerceived the email in early to late May. Some received it in early June and I received it yesterday.
So while parts of your comment are toally valid, they are totally inapplicable to my complaint.
Respectfully,
hawkeye
Ok, I am no way as savvy as you people so please help me out. I got the email too. About 3 weeks ago I learned my data allottment was used in one night, hacked and stolen by some yahoo who downloaded porn from directv. I was on the phone for 3 hours with tech support from excede internet, netgear and directv, none of which would take responsibility or even help me. So, I had to limp around on dialup speed for a month. Now I get this email and the directions might as well be in another language. I tried to do what they suggested, but it doesn't work. Here's my question. I am connected tyo the internet via satellite because I live in the sticks. Do I have to have the router? My understanding was that the sat internet cmes thru the exede router and the netgear router only boosted the wifi signal. Sorry to be so stupid at this, but it's completely confusing to me!
CarolO,
I have never had satellite internet but I believe that the device that you are speaking of that you get your internet from is the modem. The router from Netgear enables you to receive wifi throughout your home. I am fairly certain that you would need the router unless your computer is directly plugged into the other device that you have.
Hi CarolO :-)
I am very sorry to hear of your dreadful experience with an unsecure connection and Netgear Support among others. If Netgear Support told you he/she would not help you, that is outrageous. If on the otherhand, you were told they could not help you, that would be a different story.
Are you using default passwords?
If your excede modem has a router I don't know why you would need a Netgear Router, unless the excede router was not powerful enough for your home.
http://www.exede.com/wifi-modem/
I do not know enough to help you but there are others on this Forum who probably do.
With my issue TheEther and michaelkenward were particulalrly helpful and gave up a lot of their time to try to help me.
I suspect they, or someone similalrly qualified will see your post and offer assistance.
Does Direct TV or excede have a forum?
Hopefully It Was All Just a Bad Dream and it's time to wake up.
The Netgear Genie app will tell you what is connected to your network and if your channel is being also being used by someone else. Not sure if that would be of much help.
There are various ways to connect your network, some more secure than others. But again I don't know enough to help you.
- I seeI thought you were talking about a wireless gateway router (modem and router)But again I am relatively clueless how to prevent the hijacking of your network and or bandwidth.Apparently there is scum even in the "sticks"Sorry
You may have to clarify more on your network setup.
In general, you will have a modem from your ISP and then that modem is connected to a router.
Having said that you received the email, which Netgear device model number you?
The model number can be seen on the bottom of the unit in a tiny print that says MODEL NO.
