The admin page redirect isn’t done server side via 302, it’s done client side in Javascript. So we’re relying on the client correctly parsing the javascript for an insecure page, then redirecting to a secure page.
Admirable, but you expose the “secure” URL to any un-authenticated user at: http://<insert_your_nas_ip_here>/nas/v1/locale.
It would be pretty easy to javascript scan a network for that endpoint, exposing the secure hostname, and now an attacker can go generate a valid keypair; using the same secure service you’ve exposed to all customers. This is pretty much a textbook example of security through obscurity?
All we’re asking is, please, let us have the option to disable it.
I guess one possible way of blocking this (in Chrome anyway), would be to disable image loading for the NAS admin page:
img.onload = function(){
top.location.href = redirect_url;
};
Just tested this, and yup. Blocks the redirect. Phew, a workaround!
