During installation, the router sent several data packets to an Amazon server in the US. These packets contained the configured SSID name and password in clear text, as well as some identification tokens for this network within a broader database and an access token for a user session that could potentially enable a MITM attack.
Linksys has refused to acknowledge/respond to the issue.
From what I can find, by “These routers send your credentials in plaintext”, they actually meant to say, “The mobile app sends credentials in plaintext.”
If you use the web interface then your credentials are not sent in plaintext. The routers themselves also don’t send credentials in plaintext.
The people who found this out got that wrong, and a lot of people are confused because they didn’t expand on “in plaintext.” They could be a little more professional / thoughtful.
Edit: I’m also thinking about the “may expose you to a MITM” bit. I think if it was https then a MITM (assuming all they can do is examine your packets) wouldn’t work because the data can only be unlocked by the private key. It sounds like it was an http connection?
This is what I’m thinking too. The only likely scenario under which the plaintext and MITM words make sense together is HTTP. I wouldn’t put it past Linksys to have used an HTTP API endpoint but these days a lot of things scream if you use HTTP. Thanks for the work!