Tuesday, January 5, 2021

How do you "accidentally" add hard-coded credentials?

from here and here

Believe me, I can imagine how this backdoor got added to the Zyxel firmware. In theory they may be developing the firmware with the built-in account for testing purposes and then they remove or disable that code in the final build that they intend for release. But if that's what they're doing then this mistake begs to happen over and over again.

Maybe they should make a product that's testable in it's final releasable form instead.