NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Web GUI Password Recovery and Exposure Security Vulnerability
I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question ca...
Hi All,
Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.
hawki wrote:THIS IS A SCAM--IGNORE IT
I was beginning to feel deprived. I haven't seen this email.
My first thought whenever I see one of these message is scam.
If I want to do anything, I go to find the official source. I certainly don't start slagging off whoever is supposed to be the source of the email.
After all, would you ever follow the advice in emails from your bank?
I considered Netgear's Telephone Tech Support to be a reliable source. They told me to ignore the email because it was a scam. That was my mistake.
The Community Manger has confirmed that the email is valid.
I have no checkbox in my GUI to enable "Enable PW Recovery."
I received the email TWO MONTHS after the vulnerability was discovered.
The information is posted on Netgear's website here. https://kb.netgear.com/app/answers/detail/a_id/30632 I am always wary of such things as well and always check the website first. But, since it is posted on their website and not just in the community........However, I had to do a lot of digging to find it. It's not like it was on the main page. I had to look under my specific router and look under security to find it. Of course it is nowhere to be found on Facebook or Twitter or seems to me, it should be smack dab on the front page of their website!
I want to know why Netgear's Telphone Tech Support told me the email was a scam and to ignore it.
I want to know why the email was sent to me TWO MONTHS after the vulnerability was discovered.
I want to know why the "fix" is unworkable on my PC and Netgear GUI.
I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.
I want to know why I was so stooopid to pay "top dollar" to buy a Netgear Product given today's experience.
hawki wrote:
I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.You don't.
Firmware fixes are free in perpetuity.
Well researched.
I see that my D6400 is on the (s)hit list. But it says for firmware v1.0.0.44.
The release notes for the newer firmware, V1.0.0.52_1.0.52, do not promise to fix this issue.
All they say is:
Fixed the issue where the "Admin Password Protection" will disappear after refreshing the page.
This does nto seem to be the same issue.
So, is this fixed in the firmware? Or is the web statement wrong?