Overview
On February 25 2020, a 3rd party security researcher team, Nightwatch Cyber-security Research reported some security weakness with android and iOS mobile applciations that affected the mydlink mobile applciation . These Vulnerabilities were confirmed and new releases were issued too close the issue.
3rd Party Report information
- Report provided: Nightwatch Cyber-security Research :: research _at_ nightwatchcybersecurity _dot_ com :: Disclosure Link
- Reference :
Security Issue #1 - FLAG_SECURE not used :: FLAG_SECURE protects sensitive screens from being captured by other
applications taken as screenshots and shown unprotected.
- The login screen in the MyDlink and MyDlinkLite applications were found affected by this attack.
Security Issue #2 - Lack of full-time use of HTTPS Some calls in the MyDlink app happen without SSL which can
allow for injection. This was proven by by using a Man-in-the-Middle Testing proxy.
- MyDlink and MyDlinkLite applications were found affected by this attack.
Affected Models
Model |
Supported Operating System
|
Affected FW |
Fixed App |
Recommendation |
Last Updated |
mydlink Mobile Application
|
iOS |
v1.10.1 & Below |
v1.11.0 |
Update from App. Store |
03/12/2020 |
mydlink Mobile Application |
Android |
v1.10.1 & Below |
v1.11.0 |
Update from App. Store |
03/10/2020 |
Regarding Security patch for your D-Link Devices
These mobile applciation updates address the security vulnerabilities . D-Link will update this continually and we strongly recommend all users to install the relevant updates.
As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.