Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-21 05:53:14 - last edited 2020-10-21 05:55:46
Model: EAP245  
Hardware Version: V3
Firmware Version:

Omada controller 4.1.5 version is posting data to site.alipay.com. This is clearly a very significant security issue. The URL for this site is in the obfuscated javascript file g6-656fc6c5c1.min.js. There might be other instances that are buried deeper in the jar files.

 

 

  0      
  0      
#1
Options
11 Reply
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-22 08:05:25

I can confirm that this also happens on my installation. I would love to know the reasoning behind this.

  0  
  0  
#2
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-22 08:57:52 - last edited 2020-10-22 09:33:35

It seems that the controller connects to kcart.alipay.com when started on OC200/OC300 or when changing settings on the »Maintenance« menu.

 

Presumably, the controller checks which subscribed features requiring monthly fees are to be activated when the (native) Omada Cloud Controller goes online soon. Could be that one can subscribe to those features and make a payment via Alipay, which is the Chinese version of Paypal.

 

Could also be just a stub to test this function since I didn't see any actual traffic going to Alipay.

 

IMO this code should have been removed from OC200/OC300 controller versions. But maybe TP-Link plans to offer those features on the SW/HW controller, too, or just forgot to remove the test code before release of the software.

 

I don't think that it is malware or are you being asked to pay something when changing settings?

 

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#3
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-22 20:24:55

@R1D2 

This happens on a standard software install of SDN on ubuntu.

 

Alicloud is a very large cloud provider, like aws. So anyone can host any service they want on their cloud. So when a device that literally sits in the datapath of _all_ traffic gratuitously opens connections to a cloud provider in an entirely different country, with no documentation or elaboration of purpose. It becomes a very legitimate concern for any entity (corporate or private).

 

So what's to assure the users of SDN that their networks security is not already compromised? It's literally a few bytes worth of an https post request to send corporate wifi security credentials.  The fact that the URL is hidden in an obfuscated javascript file doesn't build much confidence. I guess we'll have to start investigating with wireshark as to what the Omada SDN does over a period of time.

 

I'm a bit surprised that no one from TP-link has responded. If I were a corporate entity, I wouldn't touch their gear with a barge pole, not with this kind of exposure.

  1  
  1  
#4
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-23 05:30:42 - last edited 2020-10-23 05:36:04

 

SecThrowA_y wrote

This happens on a standard software install of SDN on ubuntu.

 

Please proof that actual data is flowing to Alipay (tcpdump, iptables). I couldn't see any traffic, just a browser message »Waiting for response from kcart.alipay.com«. Even when blocking Alipay in the firewall I didn't see any dropped packets during appearance of this message . 

 

As I wrote, you can force this browser message by changing and applying any setting on the »Maintenance« page, even in SW controller. Only on OC200/OC300 the message appears at start / reboot of the controller according to my observations. So please use tcpdump or Wireshark, trace the traffic which is actually exchanged and post it here.

 

So when a device that literally sits in the datapath of _all_ traffic gratuitously opens connections to a cloud provider in an entirely different country, with no documentation or elaboration of purpose. It becomes a very legitimate concern for any entity (corporate or private).

 

It's definitely wrong that the controller handles all traffic. It does not. I have Omada SW Controller running in our own cloud for years now and no, it does not sit in the data path for all traffic. No Auranet/EAP/Omada controller version ever did that. It just receives status messages and responds to change requests. User data still flows from EAPs to routers directly. Please get the facts right.

 

So what's to assure the users of SDN that their networks security is not already compromised? It's literally a few bytes worth of an https post request to send corporate wifi security credentials.

 

You demand a bit too much of insider knowledge from us users, don't you? Nobody of us has the source code! Why don't you ask TP-Link support who should know? Open a ticket!

 

When asking in the forum, you will get answers from users, not necessarily from TP-Link support. And as always, those answers can't be authoritative.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#5
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-23 06:02:35

@R1D2 

 

Lol, why do _I_ need to prove anything? The post was in hope of getting someone from tp-link to notice, elaborate and fix as necessary.

 

Of course the controller is not in the data path. Please read again, I never said the controller handles all traffic, I said the device (as in the AP) does. (My controller is a s/w install on Linux). Who feeds the configuration to the device? The controller. Who stores the critical security configurations? The controller. Who can set the DNS servers in use by the APs? Routes? The controller quite literally owns the APs.

 

Not sure why you seem to take it personally. I certainly appreciated your response confirming that you saw the same thing. I certainly never felt I was owed an answer by you or any other user.

 

If enough users are aware of the potential issue, the hope was that someone from tp-link will notice and fix.

  0  
  0  
#6
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-10-23 06:15:00

@SecThrowA_y, ok, than that was a mis-understanding regarding all traffic. English is not my native language.

 

Also, I don't take anything personally and certainly not concerning WLAN stuff from whichever manufacturer.

 

I just share my observation that albeit there is a message in the browser telling us it's waiting for a response from Alipay, no traffic is actually send/received from Alipay. I noticed this message as early as in the beta test for Omada SDN controller, but I don't worry unless there is real traffic. That's why I guessed it could be a left-over from tests for the cloud payment method.

 

As for me, if I cannot proof that data is flowing to/from Alipay, I do not claim that any data is exchanged with Alipay.

༺ 0100 1101 0010 10ཏ1 0010 0110 1010 1110 ༻
  0  
  0  
#7
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-11-06 07:00:48

Dear @SecThrowA_y,

 

Sorry for the confusion and late response.

 

The URL is invalid and no data is sending to the URL, it has nothing to do with malware. Please do not worry about it too much.

 

I've forward this to the developer team who will remove the URL in the next 4.2.7 version. Thank you for your valued feedback!

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#8
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-11-10 11:12:10

@SecThrowA_y Also seeing this connection (kcart.alipay.com). Needs to be removed on next update, don't care if its not Malware, QA should have removed this if devs were mucking around with a URL for testing purposes. Thankfully, blocked by Pi-Hole.

  0  
  0  
#9
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-11-12 08:00:52

Dear @Pugs,

 

Also seeing this connection (kcart.alipay.com). Needs to be removed on next update, don't care if its not Malware, QA should have removed this if devs were mucking around with a URL for testing purposes. Thankfully, blocked by Pi-Hole.

 

Noted, thank you for your kind feedback. The R&D team will remove all the invalid URL in the next 4.2.7 version.

>> Omada EAP Firmware Trial Available Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#10
Options
Re:Why is Omada SDN UI posting to site.alipay.com? Is this malware or a security lapse?
2020-11-18 17:14:41

@Fae Thanks, looks like the recent OC200 firmware has removed alipay.com. Cheersyes

  0  
  0  
#11
Options

Information

Helpful: 0

Views: 2827

Replies: 11

Related Articles