Page 1 of 1

Push service sending password in clear text

Posted: Tue May 05, 2020 6:29 pm
by noriga
Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.

Model Name BiPAC 8800NL
Software Version 2.32e

Re: Push service sending password in clear text

Posted: Wed May 06, 2020 11:34 am
by billion_fan
noriga wrote:
Tue May 05, 2020 6:29 pm
Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.

Model Name BiPAC 8800NL
Software Version 2.32e
I asked our engineers and they have stated the following

Push Service is for Diagnostics purposes only and this feature is to aid our engineers in the debugging process (when there is a issue with the router)

Re: Push service sending password in clear text

Posted: Wed May 06, 2020 12:10 pm
by noriga
I understand this but debugging should not expose your passwords even to your engineers and more important in the case of a man in the middle attack or by ssl being compromised in your email system, that's also means your passwords have gone all over the place.