Reply to post: “allow Admin users to circumvent access controls”

Schneider Electric building manager bug allows security bypass


“allow Admin users to circumvent access controls”

That's some highly questionable phrasing. Admin users define the access controls (by design) so obviously they can change them[1]. Calling that "circumvention" seems a bit of a reach.

Shipping with weak default credentials is a valid observation, but also common practice. If you are going to ship a device with any standardized default credentials then it makes no difference how complicated they are because anyone can read your website.

[1] I'm familiar with (wrote) an app for a similar system that uses admin access to issue/revoke ACLs every 20 seconds.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021