CVE-2018-18767

Name of the Vulnerable Software and Affected Versions D-Link myDlink Baby App version 2.04.06 D-Link 825L firmware 1.08

Description The issue concerns the communication between the myDlink Baby App and the D-Link 825L Wi-Fi camera, where credentials, including username and password, are sent in base64 cleartext. This allows an attacker to potentially conduct a man-in-the-middle (MitM) attack on the local network to obtain these credentials. The vulnerability is also related to the use of a weak encryption mechanism in the D-Link 825L camera.

Recommendations For D-Link myDlink Baby App version 2.04.06, consider disabling the app's ability to communicate with the camera until a secure communication method is implemented. For D-Link 825L firmware 1.08, restrict access to the camera's settings and features to minimize the risk of exploitation until a firmware update with improved encryption is available. As a temporary workaround, consider using a secure, encrypted connection to protect data transmitted between the app and the camera.