Heatmiser Wifi Thermostat Credential Disclosure Vulnerability

A credential disclosure vulnerability has been identified in the Heatmiser Wifi Thermostat version 1.7. This vulnerability allows unauthenticated attackers to retrieve administrative credentials by accessing the networkSetup.htm page. The vulnerability arises because the page exposes plaintext usernames and passwords in HTML form fields, which can be extracted to gain administrative access to the thermostat.

Impact

Exploitation of this vulnerability allows for unauthorized access to the thermostat's administrative interface, potentially leading to unauthorized changes in thermostat settings or functionality.

Reproduction

To reproduce this vulnerability, send a request to the networkSetup.htm endpoint of the Heatmiser Wifi Thermostat. The response will contain plaintext administrative credentials, including the username and password, which can be extracted from the HTML form fields. This can be automated with a simple script that downloads the networkSetup.htm page and parses out the credential information.