A vulnerability has been discovered in the website of GoPro, a popular wearable high definition camera manufacturer, that could potentially expose thousands of customer usernames and passwords.
GoPro’s claim to fame is their lightweight cameras that are meant to be highly durable. People use them for mountain biking, motorcycling, and even water sports. There’s even a mobile app that gives you remote control over your GoPro so that you can set it anywhere, and even automatically upload your photos to social media.
Ilya Chernyakov, a security researcher in Israel, discovered the flaw after borrowing a friend’s GoPro. His friend had forgotten his password, and Chernyakov attempted to recover it by updating the firmware manually, which the website instructs you to do.
When Chernyakov downloaded the needed archive rar file, he found a file in “settings.in” that contained his wireless network’s name and password in clear text.
GoPro’s website does not use any form of authentication and, in fact, changing a number in the file URL provided by the site would give you other customers’ information.
Chernyakov wrote a Python script that would automatically download files of all possible number combinations, collecting thousands of wireless usernames and passwords.
He then reported the vulnerability to the company, but has yet to hear back.
GoPro users: Time to change your wireless passwords! Then you may want to change them again every time you use your GoPro.
For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.