This is hardly even newsworthy these days
Got a cheap pan & tilt camera at a supermarket end of stock sale. Image quality was okay, IR was impressive, and it worked reasonably well (didn't even need an ActiveX plug in!).
But one horribly fatal flaw. No, I don't mean the bit where the username and password are sent in every http GET request.
No, it's worse than that.
If you can make an http request without the initial '/' character (like a dozen lines of code), then you can request ANY file in the served directory COMPLETELY BYPASSING ALL SECURITY. The basic authentication is a bit rubbish, but omit the leading slash and you can walk right past it.
So no big deal right? It's just the web pages and junk that makes up the UI right?
Wrong. Try asking for "system.ini" (not "/system.ini") and you'll get back a binary file full of gibberish. Within that file, camera login names and passwords. Why stop there? WiFi AP name, MAC, password. Does the camera archive to an FTP server or send periodic messages to an email service? Guess what, names and passwords...
I contacted the company (months ago), mcl samar, and received no reply. I then asked them about the source code to the GPL parts of the device (it's a cut down Linux on one of those MIPS WiFi modules) and guess what, no reply.
The device info page has a current promotion on it, so either they aren't interested in supplying firmware updates, or they're still flogging this horrendously insecure piece of crap to people. http://www.mclsamar.com/ECOMMERCE_WEB/FR/PAGE_Produit.awp?P1=2936 (the more info link partway down the page gives lots of promo pictures, videos, etc - but no updated firmware!).