Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it: visiting the wrong website is enough to have key settings changed on the most popular models.

Symantec warns attackers can employ a simple piece of JavaScript to modify a router's domain name server settings. Once the router is rebooted, a rogue DNS will send the victim to spoofed websites with malicious intent.

That could unleash all kinds of new phishing expeditions, Symantec says. For example, the new DNS could route a request for bankofamerica.com or Microsoft's update site to fraudulent sites that steal login details or install back doors.

A proof of concept works with popular models made by Linksys, D-Link and Netgear, but only if they use the default password. Hence, the attack can be thwarted by setting a new password that's not easy to guess.

As with many of the recently discovered browser-related vulnerabilities, attacks also require JavaScript to be enabled. Running a program such as the NoScript extension to Firefox is also a safeguard in these cases. ®

Related stories

• Lumeta mines routers for network discovery (25 April 2007)
• Firefox hands out cookies from strangers (15 February 2007)
• Updated IE and Firefox cough up hard drive contents (13 February 2007)
• Updated Zero-day vuln hits Solaris (12 February 2007)
• MS plans 'dirty dozen' patch release (9 February 2007)
• Firefox popup exploit allows file snooping (7 February 2007)
• 150 ways to let hackers in (5 February 2007)