Web GUI Password Recovery and Exposure Security Vulnerability

Netgear's customer support policy leaves a lot to be desired, but on the issue of taking two months to inform customers about this vulnerability, it is not necessarily unreasonable.

What!?! How can that be? When it comes to a security vulnerability, it's counter productive to make a public announcement until one is sure that the vulnerability is real and, ideally, one has a fix available. The last thing you want to do is tell every hacker in the world that you have an unpatched flaw with no fix in sight.

Automobile recalls? You'd be surprised how many safety issues never result in recalls. Look how long GM took to fess up on the key ignition flaw. They got caught in that one, but for every issue like that, there are probably several more being buried. Or they are documented as non mandatory service bulletins, where the customer has to ask for the fix, provided they know about it!

In the security industry, it's common for white hat hackers to quietly work with companies to fix vulnerabilities. This process takes time. White hats will often prescribe a certain amount of time before they publicize a bug. This is done to incentivize a company to not drag its feet. It's possible that Netgear took too long, or perhaps the news simply leaked out and that were forced to make a public statement.

Do you have a right to be frustrated? Sure. But hopefully you can see the other side of the coin.

This particular bug is similar to other bugs in that it requires a hacker to already have inside access to your network in order to attack your router. If a hacker has access to your network, you have already lost the war. Who cares about the battle over your router?  Actually, you should care, but I hope you get my point.

For this reason, I've been advocating in other threads to not enable password recovery. I do not represent Netgear and this advice is my own. Use it at your own risk.