Limit access provided to "guest" users

z0mbie

Currently if you log into a Reolink camera with a 'guest' account via the camera's URL, you can see the entire camera's configuration to include but no limited to:

* Network information (now I know what the internal network looks like)

* FTP username and server address (now I can brute force this)

* Email accounts used (information gathering and potentially people's names)

* Camera's recording schedule (now I know when I won't be detected if i'm a person with malicious intent)

There should be really no reason at all to allow a 'guest' user to even access the configuration settings or 'gear' icon through the web page at all. I can understand allowing them to change their password but guests should be treated with 'zero trust'. It is not enough that they aren't allowed to change anything but you can take this one step further and not provide them viewing access to important/critical configuration settings. Thinking from a pentester's point of view, you can gain a lot of information if a guest account is compromised on these Reolink cameras.

Cynthia

Hello friend, appreciate your feedback on the 'Guest Account' permission when accessing the camera via a web browser.
We have been diligently working on implementing some selected user requests. And I’m honoured to have yours added to the list. Some nice ideas have been implemented as you can see in our changelog (What’s New) of firmware/software updates. Please kindly understand that bug fixes are our top priority and then user request or feature request. So it may take some time to see yours become true. Please stay tuned!

You may subscribe our emails to get the news: https://reolink.us13.list-manage.com/subscribe/post?u=c0cb1c1b65426a6d9b3609705&id=a9bc53daec.