Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[SergeGardien]

Ok, I'm trying to make a bit of reverse engineering of my DCS-2332L to solve by myself the issue with the video recording and the "Total cycling recording size" setting (read my other post to have an idea http://forums.dlink.com/index.php?topic=64182.0) and I've found another extremely serious issue:

THE D-LINK DCS-2332L DOESN'T ENCRYPT ANY PASSWORD YOU'VE PROVIDED (EMAIL/GMAIL ACCOUNT TO SEND REPORTS; ADMIN PASSWORDS OF NAS/SAMBA SERVERS; ETC.) !!!
I guess this is true for many other D-Link IP Cameras.

To check yourself what I'm talking about, just do the following:
1) Open your Web-Browser (Firefox/Google Chrome/whatever) meanwhile you're connected to the network (WiFi or Wired) where you've installed your D-Link Camera
2) Open the following URL: http://IP_ADDRESS_OF_YOUR_CAMERA/setup_event.js

Search inside this javascript file the data you've provided (email/admin accounts, etc.) and you'll see all the passwords you've provided.
If you think this is normal I can insure you it is not. This kind of data should be encrypted to avoid that any tech savvy guy can access it.

UPDATE-1: You can also read the name of the D-Link employee/programmer that worked on such javascript file (encrypted reads like w******c***), just search for the following date inside this file and you will see his comment to the code: 2014.03.11 => At least we have a contact inside D-Link that we can try to reach

[RYAT3]

Interesting.  I was prompted for password on my 2230.

The question now would be is that available to non-admin account.

[cmontyburns]

You don't even need to break open the javascript to see this.  Just download the camera's configuration file using the button on the Maintenance > System page and you'll see the IDs and passwords for all mail accounts, servers, etc. that you've configured in the camera, right there in plain text.

For this reason, I set up a mail account specifically for my cameras' use and made some other changes to my local network security and configuration. 

[FurryNutz]

Thanks for the feed back. I'll forward this on to D-Link for review.

Ok, I'm trying to make a bit of reverse engineering of my DCS-2332L to solve by myself the issue with the video recording and the "Total cycling recording size" setting (read my other post to have an idea http://forums.dlink.com/index.php?topic=64182.0) and I've found another extremely serious issue:

THE D-LINK DCS-2332L DOESN'T ENCRYPT ANY PASSWORD YOU'VE PROVIDED (EMAIL/GMAIL ACCOUNT TO SEND REPORTS; ADMIN PASSWORDS OF NAS/SAMBA SERVERS; ETC.) !!!
I guess this is true for many other D-Link IP Cameras.

To check yourself what I'm talking about, just do the following:
1) Open your Web-Browser (Firefox/Google Chrome/whatever) meanwhile you're connected to the network (WiFi or Wired) where you've installed your D-Link Camera
2) Open the following URL: http://IP_ADDRESS_OF_YOUR_CAMERA/setup_event.js

Search inside this javascript file the data you've provided (email/admin accounts, etc.) and you'll see all the passwords you've provided.
If you think this is normal I can insure you it is not. This kind of data should be encrypted to avoid that any tech savvy guy can access it.

UPDATE-1: You can also read the name of the D-Link employee/programmer that worked on such javascript file (encrypted reads like w******c***), just search for the following date inside this file and you will see his comment to the code: 2014.03.11 => At least we have a contact inside D-Link that we can try to reach