- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Unrestricted access to router admin UI
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unrestricted access to router admin UI
This is an odd one that I can't seem to pinpoint:
1. Reset entire system to factory defaults.
2. Set up the system again.
3. Establish admin password, as required.
4. Login to Router Admin page (192.168.1.1) using password set initially in step 3.
5. Click logout in upper-right corner.
6. Open ANY browser on my local network (connected to my "main" wifi SSID).
7. Navigate to Router Admin page (192.168.1.1).
8. Voila, automatically logged in with unrestricted admin rights, no password asked for.
I have tried from multiple computers (with diff IPs obviously), multiple browsers on same computer, incognito mode browser on multiple computers, browser inside my Win11 VM, etc. All seamlessly able to administer the router without the password.
I have the IoT network and Guest networks enabled. Can replicate this unrestricted access on the IoT network. Cannot access 192.168.1.1 at all from Guest network, so one could argue this isn't a huge security issue. Thought maybe it was because I had the Guest network enabled ("trust anyone on my own private network"), but that doesn't appear to be the case as I disabled the Guest network and the issue is still present.
Apparently I got a "special" Orbi 970 if no one else is seeing this same behavior! Scratching my head.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
How soon are you logging out then back In to the RBRs web page?
Does your browser save the log in info and password as well?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
I've gone over an hour between login attempts and am still able to login. Have logged in from my primary machine, logged out, went and started up my son's computer, went to 192.168.1.1 and was in without even being prompted for credentials.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
Thank you for reporting this issue to us and bringing it to my attention. I will ask our engineering team to look into it.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
WOW , I have been in and out of my 970 system many times with my mac mini, chrome book, and iPhone safari ....
Always a pop up to type user and password.
With that other white light problem , I would have to say you have defective equipment , BUT that is just my opinion
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
Just because one user sees a problem doesn't mean others should see same thing. Possible this users unit is just faulty or in a bad state. I've not seen this ever since day one on mine. I get the log in windows each and every time I go to the routers web page.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
@Straq @FURRYe38 An update on this issue:
I started from scratch today. Completely reset router and satellites. Went through the entire setup of my Orbi using the iOS app.
The issue of being able to get into router admin pages from any device on network is no longer occurring. Phew!
I did find a different potential security issue however. I would be curious if someone else could try to replicate it ...
It appears that the router will allow any browsers from a single device to access the admin portal if a user has logged in via that IP, and has not logged out.
How to reproduce:
1. Clear cookies on all browsers.
2. Using the browser of your choice (I used Chrome), login to your router's admin pages.
3. Do not click "Logout" in upper right. Just close/exit the browser.
4. Using any other browser (Safari in my case) from the same computer, open your router admin page.
5. You should be in without being prompted for a password.
I've tested this with multiple browsers, as well as within a VM on my Mac that shares the Mac's IP. Once a user has logged in from an IP, and has not logged out, anyone can administer the router.
This isn't an issue for me in particular, as no one else uses my laptop, and I can just be sure to logout. However, imagine a scenario where a household used a shared computer. If the admin portal had been logged into from that computer, and the session was not logged out, any other user of that computer would be able to access it, so long as the IP doesn't change.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
I can produce this on my Win 10 PC with MS Edge and Chrome but can't produce this on Win 11 PC with MS Edge or FireFox, they give me the log in each time. Cleared browser caches on both as well.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
Glad you were able to reproduce it. Strange that it didn’t on Win11.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Unrestricted access to router admin UI
Will let NG take the ball now.
• Introducing NETGEAR WiFi 7 Orbi 770 Series and Nighthawk RS300
• What is the difference between WiFi 6 and WiFi 7?
• Yes! WiFi 7 is backwards compatible with other Wifi devices? Learn more