It took only a week for the researchers at SourceSec to find a flaw in the CAPTCHA implementation of D-Link's recently introduced CAPTCHA in its routers, originally aimed to prevent DNS changing malware from automatically achieving its objective.
- Malware loads the router’s index page and glean the salt generated by the router
- The malware uses the salt to generate a login hash for the D-Link User account (blank password by default)
- The malware sends the hash to the post_login.xml page
- The malware sends a request to the wifisc_add_sta.xml page, activating WPS
- The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card
Ironically, the first router with CAPTCHA implementation can in fact be undermining the secure combination of strong passphrases and strong encryption protocols, which of course doesn't mean that these best practices are in wide circulation at places they're supposed to be.