Owners of the Huawei E355 mobile Wi-Fi dongle are being warned of a cross-site scripting (XSS) vulnerability, described as “close to being as bad as can be”, that could allow a malicious attacker to steal sensitive information.
The US Computer Emergency Response Team (CERT) says the flaw exists in the web-based administration interface and allows users to receive SMS messages to be received through the connected cellular network.
“The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface,” warns the CERT.
“It seems the vulnerability was reported to Huawei in April,” he says. “Publicising the vulnerability in late July might therefore seem a trifle generous in allowing the vendor time to fix the software. On the other hand, there is no telling when it was first discovered”
The CERT is advising users to disable scripting functionality on all computers and devices that connect to the dongle, but Adelakun warns this could also cause some web pages not to display properly. He says a more sensible approach could be to disable the functionality while connected to the mobile Wi-Fi device and enable it when connected to another network.
Last month, users of popular Twitter client TweetDeck were urged to shut the application down following the emergence of an XSS flaw that could have led to “mass account compromise.”
How well do you know network security? Try our quiz and find out!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…