NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
Web GUI Password Recovery and Exposure Security Vulnerability
I would like to point out to Netgear that their password recovery options are woefully insecure. I followed their advice to turn on Password Recovery but immediately aborted, Every single question ca...
Hi All,
Here is the KB article for the said vulnerability. You can check for the specific model number that is affected.
I considered Netgear's Telephone Tech Support to be a reliable source. They told me to ignore the email because it was a scam. That was my mistake.
The Community Manger has confirmed that the email is valid.
I have no checkbox in my GUI to enable "Enable PW Recovery."
I received the email TWO MONTHS after the vulnerability was discovered.
The information is posted on Netgear's website here. https://kb.netgear.com/app/answers/detail/a_id/30632 I am always wary of such things as well and always check the website first. But, since it is posted on their website and not just in the community........However, I had to do a lot of digging to find it. It's not like it was on the main page. I had to look under my specific router and look under security to find it. Of course it is nowhere to be found on Facebook or Twitter or seems to me, it should be smack dab on the front page of their website!
I want to know why Netgear's Telphone Tech Support told me the email was a scam and to ignore it.
I want to know why the email was sent to me TWO MONTHS after the vulnerability was discovered.
I want to know why the "fix" is unworkable on my PC and Netgear GUI.
I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.
I want to know why I was so stooopid to pay "top dollar" to buy a Netgear Product given today's experience.
hawki wrote:
I want to know why I have to pay $50 to extend my 90 day support to get help to fix a vulnerability that was created by a Netgear Design Flaw.You don't.
Firmware fixes are free in perpetuity.
Thanks for your reply :-)
But, the vulnerability notice includes a specific fix that is unworkable on my PC and GUI. Yes, it says it will be fixed in an upcoming firmware update. But until then what?
I know exactly how you feel. I think it is revolting the way they are handling this. Of course, they really don't care what happens to any of us in the first place. I had a really bad experience with Netgear before dealing with their horrendous, outsourced customer service. I swore then that I would never, ever buy another one. I used whatever my ISP gave me until I switched and had to get my own. I was deadset against getting a Netgear but everyone from the people at Best Buy to people online to friends and family recommened Netgear. It was the best that I could buy they said.
Not too long ago, there was another breach of some sort that I had to go in and try to fix. I am pretty good with computers but not the greatest at networking. Of course, customer service could not help because I the router was no longer in that magical 3 month window in which I could get some horrendous, outsourced customer service. I would never pay them $50 to extend your warranty. They won't help you anyway.
I also don't know why it took so long to receive this email. I got mine yesterday, however the website clearly states that it was discovered in early May?
I'm sorry that I don't know the answers to any of your questions but I understand where you are coming from and feel the need to vent as well.
Thanks pookie for your thoughtful understanding of my outrage.
Well researched.
I see that my D6400 is on the (s)hit list. But it says for firmware v1.0.0.44.
The release notes for the newer firmware, V1.0.0.52_1.0.52, do not promise to fix this issue.
All they say is:
Fixed the issue where the "Admin Password Protection" will disappear after refreshing the page.
This does nto seem to be the same issue.
So, is this fixed in the firmware? Or is the web statement wrong?
