Long-term Chad’s News readers may recall this article, where a website was destroyed during a Google scan because the Google crawler doesn’t process JavaScript. And Firefox power users may be aware of the NoScript extension, which disables JavaScript for all websites by default (and which frequently shows up on “Top 10 Essential Add-ons” lists).
With all this in mind, you’d think web developers would know better than to design security measures that rely on JavaScript being enabled. But apparently not. Time Warner Cable distributed 65,000 cable modems that allow users to perform simple administrative functions via a web page interface. Advanced controls are hidden from the user, but they’re hidden via JavaScript. Disable scripting and poof! it’s a few easy steps to get the modem’s login credentials. To make matters worse, all 65,000 modems have the same username and password. Thus, a malicious hacker can reconfigure people’s modems from anywhere on the internet. Stupid, stupid, stupid.
Link: http://www.wired.com/…
(via Kim Komando)