To make the configuration of routers easier, hardware vendors instruct users to browse to a domain name rather than numeric IP addresses.
Networking equipment vendor TP-LINK uses either tplinklogin.net or tplinkextender.net for its routers configuration. Although users can also access their router administration panel through local IP address (i.e. 192.168.1.1).
The first domain offered by the company is used to configure TP-LINK routers and the second is used for TP-LINK Wi-Fi extenders.
Here’s the Blunder:
TP-Link has reportedly "forgotten" to renew both domains that are used to configure its routers and access administrative panels of its devices.
Both domains have now been re-registered using an anonymous registration service by an unknown entity and are being offered for sale online at US$2.5 Million each.
This latest TP-Link oversight, which was first spotted by Cybermoon CEO Amitay Dan, could lead its users to potential problems.
However, it seems like TP-Link is not at all interested in buying back those domains, as Dan claims that the hardware vendor is updating its manuals to remove the domain name references altogether.
In recent years, the hardware vendor has started replacing its tplinklogin.net domain with tplinkwifi.net domain, which is currently under its control. So, there is no direct threat to TP-Link users.
But unfortunately, the tplinklogin.net and tplinkextender.net usually came printed on the back of the devices. So, users accessing this domain on devices could end up on a domain under a third-party’s control.
If malicious actors get their hands on these domains, they could use them to distribute malware, serve phishing pages instructing users to "download new firmware to your router," and request device or social media credentials from users before redirecting them to the router’s local admin panel IP.
The bottom line:
Users are advised to avoid accessing their TP-Link routers using the tplinklogin.net domain; instead, use local IP address.
Dan has also recommended Internet Service Providers (ISPs) to block the affected domain names in order to prevent its customers from being hijacked.