Security → Large-scale attack uses browsers to hijack routers

"Cybercriminals have developed a Web-based attack tool to hijack routers on a large scale when users visit compromised websites or view malicious advertisements in their browsers.":
»www.computerworld.com/ar ··· 15-05-26

One thing that is missing from the article: It talks about the need to update router firmware, but it does not discuss the (all-too-common) situation where the router manufacturer no longer supports the model, so that future firmware updates will never be issued.

Doesn't NoScript prevent this type of access to your router?

Good luck guessing my gateway IP.
Its not 192.168.*.* or 10.0.0.138 not even close.
Without that, they can't run their script.

Don't Forget you browser knows you IP address and it would be easy to guess your routers based on that alone

Does the browser actually know your local address or is it discoverable when you are browsing via Javascript or HTML5?

quote:

---

To protect themselves, users should check manufacturers' websites periodically for firmware updates for their router models and should install them, especially if they contain security fixes.

---

...along with OS patches and anti-X updates, pretty sure this is bottom of the "to procrastinate list" for alot of home users.
It works, that's all [the home users] need.

Any HTML5 or Java experts wanna comment on that? Dollars to donuts, pretty sure that's trivial to do.

Regards

If the identity of my routers were not publicly known because I have identified them numerous times on this site (if you are curious, look at my site profile and you can see them all), I would post both the public WAN, and private LAN IP addresses of each of them and ask you to identify them using only that information.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

Sorry I was not clear, I know for certain that the Local IP can be discovered via HTML5 or Javascript.

Mmy question was, does the browser automatically know the IP
--
Warning, If you post nonsense and use misinformation and are here to argue based on those methods, you will be put on ignore.

Not without client side code. OTOH, the web server does know the public IP address even without client side code (as can be demonstrated by going to this site's »/whatismyip test page with scripting disabled). And if a router has a leaky HNAP/SOAP implementation, that can be enough to identify quite a bit about that router.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

...or (gawd forbid) through UPNP, perhaps?

My 00000010bits

Regards

I would be wiling to bet that a substantial percentage of home users do not even know that a router contains firmware and it can be upgraded.

Well, at least Steve Gibson has an on-line test for UPnP through the WAN detection. I'm kind of surprised that his site does not have an HNAP/SOAP WAN access test. But since that is not necessarily linked to the standard http port 80, he may be concerned that a leaky router using a non-standard http port for HNAP/SOAP would falsely pass such a test (I know that I had to disable remote maintenance access to all of my D-Link routers because they allowed unauthenticated HNAP/SOAP queries from the WAN on whatever port I chose for remote access).
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.

This site has been posted before and is a good source for checking what can be 'shown' of you from the browser.

Run a test of default browsers versus that of 'secured' browsers and see the difference.

»ipleak.net/
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke

Good luck. My router runs no Web UI of any sort. Administration is done via ssh with a 4096 bit RSA key.