Push service sending password in clear text

Discussions for BiPAC 8800 series: 8800NL
Post Reply
noriga
Posts: 26
Joined: Wed Jul 30, 2014 8:51 pm

Push service sending password in clear text

Post by noriga » Tue May 05, 2020 6:29 pm

Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.

Model Name BiPAC 8800NL
Software Version 2.32e

billion_fan
Posts: 5165
Joined: Tue Jul 19, 2011 4:30 pm

Re: Push service sending password in clear text

Post by billion_fan » Wed May 06, 2020 11:34 am

noriga wrote:
Tue May 05, 2020 6:29 pm
Just found by accident that the push service on my 8800nl send a file (mdmcfg) with literally the entire router configuration in clear text inclusive of all email accounts used for various services like email, snmp or alerts, this is sent with all passwords in clear text.
Is this by design? I think it's rather wrong.

Model Name BiPAC 8800NL
Software Version 2.32e
I asked our engineers and they have stated the following

Push Service is for Diagnostics purposes only and this feature is to aid our engineers in the debugging process (when there is a issue with the router)

noriga
Posts: 26
Joined: Wed Jul 30, 2014 8:51 pm

Re: Push service sending password in clear text

Post by noriga » Wed May 06, 2020 12:10 pm

I understand this but debugging should not expose your passwords even to your engineers and more important in the case of a man in the middle attack or by ssl being compromised in your email system, that's also means your passwords have gone all over the place.

Post Reply