Hotspot Mac Cookie security issue

newuser69 · January 17, 2018, 11:18am

the current formula of the cookie is to store a Mac value and compare it to every host in the hotspot if true then user is loged-in
so basically its not even a cookie its a list !!
a server side list of previously authorized users and the account in which this hardware address connected to
02:34:56:78:90:10 ---------- useraccount
this is software level poor security feature when it comes to mac cloning !!
i suggest rather than storing the mac as a sole identifier --- the list should be a ((full Dhcp fingerprint string))

Mac+Hostname+classid+fqdnid+whatever dhcp options in in the client side -------------- user account

A string of harvested Dhcp data :
02:34:56:78:90:10android-9518b3587XXXXXXXXXXXXXXXX -------------- user account

miro · January 17, 2018, 2:22pm

Uhmmm… If you don’t like it, just don’t use it… And Mikrotik has request for feature section…

newuser69 · January 17, 2018, 11:41pm

The “use it or leave it” argument is the poorest reply for an algorithm design analysis
this problem renders the hotspot package useless if not resolved

acruhl · January 18, 2018, 3:00am

It’s not useless. It’s just not as secure as it could be. This is not solely a MikroTik problem, this has existed a while with other hardware.

Yes, there are methods to fix it. If you paid $10,000 for that router instead of $50, you’d have a legit gripe. Otherwise, wait.

newuser69 · January 18, 2018, 5:25am

its not a hardware problem !! its a software layer issue which can exist in mikrotik 3000$ routers
this post is getting way off point !!

Hotspot Mac Cookie security issue

Mac+Hostname+classid+fqdnid+whatever dhcp options in in the client side -------------- user account

A string of harvested Dhcp data : 02:34:56:78:90:10android-9518b3587XXXXXXXXXXXXXXXX -------------- user account

A string of harvested Dhcp data :
02:34:56:78:90:10android-9518b3587XXXXXXXXXXXXXXXX -------------- user account