Nick Leghorn

Name of the Vulnerable Software and Affected Versions: D-Link mydlink+ version 3.8.5 build 259 D-Link DCS-933L version 1.05.04 D-Link DCS-934L version 1.05.04 Description: An issue was discovered where the mydlink+ app sends the `username` and `password` for connected D-Link cameras unencrypted from the app to the camera. This allows attackers to obtain these credentials and gain control of the camera, including the ability to view the camera's stream and make changes without the user's knowledge. Recommendations: For D-Link mydlink+ version 3.8.5 build 259, consider disabling the camera connection feature until a patch is available. For D-Link DCS-933L version 1.05.04, restrict access to the camera's stream and configuration settings to minimize the risk of exploitation. For D-Link DCS-934L version 1.05.04, avoid using the mydlink+ app to connect to the camera until the issue is resolved.