D-Link, Comba network gear leave passwords open for potentially whole world to see
Security researchers with Trustwave have discovered that certain DSL modems and Wi-Fi routers produced by D-Link and Comba expose user passwords to the Internet as the result of various firmware vulnerabilities.
D-Link devices are affected by two firmware bugs, one of which makes it possible to view a file containing the user password by simply visiting a path to the file on the web-based admin console, namely https://[router ip address]/romfile.cfg. Comba devices are impacted by three flaws, including the presence of a plaintext password file that can be accessed via the device’s IP address. While D-Link has already fixed the issues, this doesn’t appear to be the case for the vulnerable Comba devices.