Security issue


#1

We found some issues regarding security.

Please check this scenario:
In the login page https://incontrol2.peplink.com/login you have an option to choose sign up as a new member. create a new user.
Also in the Max-BR router you have the message of the Incontrol management that redirect you to the Incontrol web site and gives you the management page.

It seems that if someone attacked the router and get an access to the managment of the router he can click on this link and redirect to the Incontrol even if he do not have permission. He cannot see all the information about the organisation but he can check the request and see the JSON file with all the information regarding the organisation of this router.
Also check what happened if the user without permission catch a package with the organisation number and device


#2

Hi Sharon, thanks for your report first. Actually everything is safe and there is no security issue.

After you clicked the InControl link on the device’s web admin, the InControl firstly checks your login session. The reason why you can access the device’s management page because you already signed in to InControl earlier. If you sign out InControl and click the link on the web admin again, you will just be redirected to the InControl sign-in page only. So nothing is disclosed.