Unable to Contact TP-Link Security team
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Unable to Contact TP-Link Security team
Model :
Hardware Version :
Firmware Version :
ISP :
I note the firmware for my router doesn't escape DHCP name correctly, allowing a trivial stored XSS issue.
Anyone who can connect to the router's networks and receive a DHCP lease can thus run JavaScript as the router admin (probably by exhausting the DHCP range to encourage the admin to login and look at the payload).
The workaround is to disable the routers DHCP and use another DHCP server, or not to allow any untrusted users to connect to any of the networks.
TP-Link have addressed the same issue in the Archer series and one other series of router, but they appear unable to pro-actively test for the same issue being present on other devices they ship. Also suggests they do no security testing on the devices before they ship, or no effective security testing.
Some of the affected devices use different firmware, as the exploitation of the issue is slightly different between routers.
The issues has been publicly disclosed on Full Disclosure mailing list several times, so the bad guys know this already, it is just TP-Link who aren't getting the message.
Have been completely unable to reach anyone at TP-Link with any clue. The support form for the UK doesn't work. The twitter feed is not responded to. Emails are unanswered.
Even PC World said they were unable to reach TP-Link security.
Wondering, do you have a security team? How does one reach them?
Hardware Version :
Firmware Version :
ISP :
I note the firmware for my router doesn't escape DHCP name correctly, allowing a trivial stored XSS issue.
Anyone who can connect to the router's networks and receive a DHCP lease can thus run JavaScript as the router admin (probably by exhausting the DHCP range to encourage the admin to login and look at the payload).
The workaround is to disable the routers DHCP and use another DHCP server, or not to allow any untrusted users to connect to any of the networks.
TP-Link have addressed the same issue in the Archer series and one other series of router, but they appear unable to pro-actively test for the same issue being present on other devices they ship. Also suggests they do no security testing on the devices before they ship, or no effective security testing.
Some of the affected devices use different firmware, as the exploitation of the issue is slightly different between routers.
The issues has been publicly disclosed on Full Disclosure mailing list several times, so the bad guys know this already, it is just TP-Link who aren't getting the message.
Have been completely unable to reach anyone at TP-Link with any clue. The support form for the UK doesn't work. The twitter feed is not responded to. Emails are unanswered.
Even PC World said they were unable to reach TP-Link security.
Wondering, do you have a security team? How does one reach them?