According to Cybermoon security researcherand reporter , networking equipment vendor TP-LINK has forgotten to renew two domains used by users to configure their routers and access their devices’ administrative panels.
The domains are tplinklogin.net and tplinkextender.net. The first is used to configure TP-LINK routers, while the second is used for TP-LINK Wi-Fi extenders.
Both domains have been re-registered under anonymous names by unknown entities and are available for sale online. The man in possession of the first domain is asking for $2.5 million.
Domains were never live, users not in direct danger
None of these domains ever resolved to an IP address on the Internet, meaning they were never live.
TP-LINK used them to catch DNS queries for these domains on the local router and redirect the user to the device’s internal admin interface.
This means that there’s no actual danger to users, except the reputational damage that TP-LINK has suffered by failing to secure its own domains.
Indirect danger can come via phishing attacks
The tplinklogin.net and tplinkextender.net domains usually came printed on the back of the devices. In recent years, TP-LINK has started replacing the tplinklogin.net domain with a new domain named tplinkwifi.net, currently under the company’s control.
Nevertheless, some users may try to access this domain on devices that won’t catch this DNS queries and end up on a domain under a third-party’s control. If the domain is ever sold to a malicious entity, they could easily serve phishing pages, requesting device or social media credentials from users before being redirected to the router’s local admin panel IP.
After Amitay Dan had informed TP-LINK of the issue, the company started replacing all mentions of the tplinklogin.net domain in its documentation sites with the newer tplinkwifi.net domain. The labels on the back of older devices will remain, though.