Update: Seems to be working on TP-Link Routers as well (tested on TL-WR841N).
Update2: Arcor EasyBox A600 also seems vulnerable.

Opening a legitimate looking email on an iPhone, iPad or Mac while using an Asus router with a default or guessable password could compromise the security of your internal network. I conducted tests on two Asus routers –  Asus RT-N16 and Asus RT-N56U – and the attack was successful. It is possible that other routers could be affected, including those not manufactured by Asus.

I’ve prepared a short video that demonstrates the problem. In this demonstration, the victim receives an email – when the email is opened, the internal network is compromised (The DNS servers used by the router were changed to an IP address controlled by the attacker).

Technical Details

I got the idea for these tests after I noticed that Apple devices load remote images in emails by default. This can cause privacy issues and it is not a recommended practice. A malicious user can send you an email with an embedded 1×1 pixel image with the background colour of your email client, so it is not visible. The email client will load this image from a remote server and by doing so, it discloses your IP address and email client banner, and possible your identity. In some situations, such behaviour can have catastrophic consequences.

Since Apple devices are loading remote images by default, my first idea was to try to attack the home router. At home I am using the ASUS RT-N16 router.

The router, like many other routers, is using basic authentication to restrict access to the administrative interface. Once you’ve entered the administrative interface, you can send a POST request to apply changes to the configuration.

Unfortunately many people do not change the default router password because they do not even know about it, or simply do not care. It never crosses their mind that a malicious user can gain access to that interface. Even those who change the password often use a weak password.

In this test, if we manage to send a POST request using an email with an image, we can reconfigure the router. It turns out though that this router accepts configuration parameters from both POST and GET requests. Therefore, it is possible to take all the POST parameters, convert them to GET parameters and send an email to the victim containing an image with its source pointing to the router’s configuration URL. To increase the chances of this attack succeeding, I can send multiple images in the email; one with the default username and password for the router and others with most common passwords. The complete attack looks like this:


As we can see from the source code above, in the email we included a div which loads a number of iframes – the GET requests are actually URL’s that are typically used to configure the router.

This attack worked perfectly on my ASUS RT-N16 router and it also works on another router: ASUS RT-N56U. I have only tested with these two routers but any router that accepts configuration changes from GET parameters and doesn’t protect against CSRF should be vulnerable to this simple attack. I can also confirm that this attack works on iPhone, iPad and Mac’s default mail client.


The recommended practice is not to load remote images by default, or ask the user to click a button to load them, like gmail. I have also found out that even gmail will load remote images without asking for permission if you have already responded once to the sender of that email. So using such attack against a gmail user is also very simple: send a plain text email that will intrigue the victim to reply and once he or she replies, send an email with a tracking image.

I have contacted Apple about this problem and their suggestion was to disable the “Load Remote Images” option. To do this you need to go Settings -> Mail, Contacts, Calendars and look for the “Load Remote Images” in the Mail section. You need to disable this option to protect yourself against this attack. However by disabling this option, if somebody sends you an email with an embedded image you will not be able to see it.

Another option to prevent such an attack is to simply set a strong password for your home router.


Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • Intersting… what about Android phones?

    • I didn’t tested on Android phones. I cannot say.

    • Android block images first if with the Hotmail app. You need to click “show images” to see the images.

  • Hi Bogdan, I have a question on how this works. I’m not really an HTML expert, but what does “executing” the attack have to do with loading the image? From the code, there’s a normal img src tag, with the link of the image, and then comes the invisible iframes. I mean, how is the image connected with the iframes? What’s the use of disabling loading images? Wouldn’t that just skip loading the “img src” tag, but still go ahead and execute the rest of the code, which is the “iframe src” tag?

    • Apple doesn’t have a separate settings for image, iframe, frame tags and other tags. They have only one setting “Disable remote images” and when you disable that option no remote content will be loaded. So, when you disable remote images you also disable iframes, frames and so on.

  • Nice CSRF attack !
    This attack can be conducted againt any router having CSRF issues, not only Asus!

    good one anyway.

    • Thanks, I suspect other routers are affected. I’ve only had access to these 2 Asus routers and only tested those.

  • Seems to work on TP-Link Routers, too. At least TL-WR841N should be vulnerable.
    You just have to use other GET Parameters:

    But you have to set mtu as well because otherwise the router throws an error…

    • Very interesting. Thanks David, I will update the story.

  • So what happens when a user opens the email?

    • When a user opens the email, the iPad browser will load a hidden iframe that will reconfigure the router.

  • The vast majority of computer illiterate use webmail, which also tends to load remote images by default.

  • How about an even simpler remedy, changing the lan setup on your router to or

    • Yes, that would work for this particular script but it’s easy to bypass.

  • What’s the point in that?

    Every website could include such an iframe or img tag to “hack” the router.
    And that’s not “new”.
    Why is this blogpost only talking about mail?
    Most mordern Routers have randomly generated default passwords written on their back or are forcing the user to change the password after first login. If they don’t do that, it’s the fault of the Router, not the E-Mail Client.

    • There are still a lot of routers that don’t force the user to change the password. Actually, I’ve never encountered one until now and I’ve tried at least 10 routers in the past 3 years. This blog post talks about default passwords and guessable passwords. If you choose a bad password it’s still a problem.

      This attack shows that it’s possible to load external resources (imgs, iframes) using URLs with credentials.
      This should be fixed once and for all in iOS/Webkit (and the other browsers) by disabling resources loaded with credentials.

      At some point, as a protection for phishing, URLs with the format
      scheme://username:password@hostname/ were disabled. When you enter in the browser bar something like that it doesn’t work in most browsers.

      I was surprised to see that doing something like [img src=’scheme://username:password@hostname/path’] works in Chrome and Firefox but if you enter the same URL in the browser bar it doesn’t work. This doesn’t work in Internet Explorer, which is the right behavior in my opinion. I don’t see any good reason why something like this should work. Closing this in browsers will solve this problem once and for all.

      • Thank you for your response.
        I agree, that URLs containing Passwords for Basic-Auth/Browser-Auth are a security issue and should be disabled for resource loading. But that won’t “fix” the issue for websites, cause redirects might do the same and the problem is still there as long as this URLs are not disabled completly. Actually URLs with password are part of the URI RFC 2396 Part 3.2.2 (even though it’s not recommended to use in there).

        You are right, that microsoft disabled this “feature” in their browser according to: http://support.microsoft.com/kb/834489/en

        I don’t know in what case you may need it, but I can think of multiple read only accounts to an ftp-server via URL. This will break. I think I was looking for drivers once and the driver manufacturer forwarded me to an ftp server with that URL-Scheme.

        I personally think that basic-auth is outdated for websites and should be replaced with a session based way including a “logout” button and restricted to POST-Forms only. In my opinion THAT’s the problem and not the browser/E-Mail clients.

        • Yes, it seems to work on Chrome now. I remember I’ve tested some time ago and it didn’t worked.
          In Firefox, Safari and Opera it requests confirmation and in Internet Explorer doesn’t work at all.
          FTP URLs can remain as long as HTTP(s) URLs are disabled.
          HTML Form authentication would be another solution, yes.

          • I am trying HARD to understand this whole thing; I use and recommended the Asus RT-NT56 router!

            IF you use a secure router login password, does this cause the described Email Hack to NOT work?

          • Yes, if you use a secure password you are safe.

  • Did I understand correctly that we do not need the WLAN password (WPA2/WEP) for that?
    Because with having the WLAN password we could just do DNS spoofing with ettercap or arpspoof…

  • Very intresting. Tested it with gmail and it really loads the content without permission after one response. I would not have expected that.

  • Good find – but has this been tested on anything else than i… equipment..?

  • We ran the Acunetix Free Scan back in May and it crashed our site, unleashing an email attack of thousands of emails all from Acunetix. After spending countless hours in trying to repair our site, we have been operational for seven months, but now the same email attacks from Acunetix have started again. Our mail server crashed and we had to take our ecommerce site off line.

    Why is this happening? How can we find the malicious script that Acunetix injected into our site causing these mass emails with the Acunetix name on them?

    • If scanning your site is causing such problems it means you have big security problems. Any attacker can cause the same problems that our scanner is causing.

      You need to perform a complete security audit to figure out what is happening, it’s impossible for us to let you know.
      These people will test your site, read the source code and figure out where is the problem.

  • that was interesting and informative also

  • Ya, Have also notice such things, We should always aware of it, We should not open mails from unknown sources, and we should also avoid spam mails too.

  • Comments are closed.