[redder23]

Well have you looked at the example? Browsers should be able to a access anY IP on the LAN. If that url is not password protected and let you just change settings via URL its really not the browsers fault for supposedly "giving access". Well thinking about it, it should probably not be possible in an iframe but they would just trick you clicking a link instead. People to not secure their routers and have default passes that is the big issue here. So of course them mitigating that makes sense.

Simple never giving access would mean people can not open their router interfaces, self hosted stuff on SBCs ... so you make no sense.

[betaby]

> People to not secure their routers and have default passes that is the big issue here.

Is it really? ISPs in USA/Canada/France/etc give customers WiFi routers with random passwords for many years.

[zokier]

https://arstechnica.com/information-technology/2024/02/doj-t...

> That malware, which worked as a botnet for the Russian hacking group Fancy Bear, was removed in January 2024 under a secret court order as part of "Operation Dying Ember," according to the FBI's director. It affected routers running Ubiquiti's EdgeOS, but only those that had not changed their default administrative password

[betaby]

Those are not ISP given devices. While it's bad-bad, Ubiquiti is a SOHO vendor and post-purchase configuration is expected.

[traverseda]

It's not random, it's the devices Mac address and some isp-specific value hashed together and truncated.

Don't tell anyone though since that's a pretty big security risk.

[betaby]

Do you have a link for the algorithm? Really interesting.