D-Link Forums
The Graveyard - Products No Longer Supported => IP Cameras => DCS-2332L => Topic started by: SergeGardien on January 10, 2016, 03:47:42 AM
-
Ok, I'm trying to make a bit of reverse engineering of my DCS-2332L to solve by myself the issue with the video recording and the "Total cycling recording size" setting (read my other post to have an idea http://forums.dlink.com/index.php?topic=64182.0 (http://forums.dlink.com/index.php?topic=64182.0)) and I've found another extremely serious issue:
THE D-LINK DCS-2332L DOESN'T ENCRYPT ANY PASSWORD YOU'VE PROVIDED (EMAIL/GMAIL ACCOUNT TO SEND REPORTS; ADMIN PASSWORDS OF NAS/SAMBA SERVERS; ETC.) !!!
I guess this is true for many other D-Link IP Cameras.
To check yourself what I'm talking about, just do the following:
1) Open your Web-Browser (Firefox/Google Chrome/whatever) meanwhile you're connected to the network (WiFi or Wired) where you've installed your D-Link Camera
2) Open the following URL: http://IP_ADDRESS_OF_YOUR_CAMERA/setup_event.js
Search inside this javascript file the data you've provided (email/admin accounts, etc.) and you'll see all the passwords you've provided.
If you think this is normal I can insure you it is not. This kind of data should be encrypted to avoid that any tech savvy guy can access it.
UPDATE-1: You can also read the name of the D-Link employee/programmer that worked on such javascript file (encrypted reads like w******c***), just search for the following date inside this file and you will see his comment to the code: 2014.03.11 => At least we have a contact inside D-Link that we can try to reach
-
Interesting. I was prompted for password on my 2230.
The question now would be is that available to non-admin account.
-
You don't even need to break open the javascript to see this. Just download the camera's configuration file using the button on the Maintenance > System page and you'll see the IDs and passwords for all mail accounts, servers, etc. that you've configured in the camera, right there in plain text.
For this reason, I set up a mail account specifically for my cameras' use and made some other changes to my local network security and configuration.
-
Thanks for the feed back. I'll forward this on to D-Link for review.
Ok, I'm trying to make a bit of reverse engineering of my DCS-2332L to solve by myself the issue with the video recording and the "Total cycling recording size" setting (read my other post to have an idea http://forums.dlink.com/index.php?topic=64182.0 (http://forums.dlink.com/index.php?topic=64182.0)) and I've found another extremely serious issue:
THE D-LINK DCS-2332L DOESN'T ENCRYPT ANY PASSWORD YOU'VE PROVIDED (EMAIL/GMAIL ACCOUNT TO SEND REPORTS; ADMIN PASSWORDS OF NAS/SAMBA SERVERS; ETC.) !!!
I guess this is true for many other D-Link IP Cameras.
To check yourself what I'm talking about, just do the following:
1) Open your Web-Browser (Firefox/Google Chrome/whatever) meanwhile you're connected to the network (WiFi or Wired) where you've installed your D-Link Camera
2) Open the following URL: http://IP_ADDRESS_OF_YOUR_CAMERA/setup_event.js
Search inside this javascript file the data you've provided (email/admin accounts, etc.) and you'll see all the passwords you've provided.
If you think this is normal I can insure you it is not. This kind of data should be encrypted to avoid that any tech savvy guy can access it.
UPDATE-1: You can also read the name of the D-Link employee/programmer that worked on such javascript file (encrypted reads like w******c***), just search for the following date inside this file and you will see his comment to the code: 2014.03.11 => At least we have a contact inside D-Link that we can try to reach