That you should change the default password on your home router - whether wired or wireless, has been ascertained by security researchers at Symantec and Indiana University. The researchers have discovered that attackers can change the configuration of home routers using that 'usual suspect', JavaScript code.

The team found it is possible to change the Domain Name System (DNS) router settings, by using a connected PC to view a Web page with JavaScript code.

The change in DNS effectively allows a hacker to divert all Internet traffic passing through the router.

Senior Principal Researcher at Symantec, Zulfikar "Zully" Ramzan, said he's been able to get the proof-of-concept code to work on Linksys, D-Link, and Netgear routers, and that one can easily create a single Web site to be able to attack all routers.

Ramzan said that all kinds of home routers are susceptible to the attack - only if their default router passwords haven't been changed.

He explained that malicious JavaScript code embedded on the hacker's Web page logs on to the router using really simple default credentials, and then changes the settings.

One of the reasons why people don't change router passwords, according to Ramzan, is that typically router set-up steps do not prompt users to change passwords. As such, many people end up never properly configuring their networking gear at all.

While this research was first published in Dec 2006, Symantec has publicized the findings only as of yesterday.

As regards JavaScript's famed vulnerability, security expert from Atlanta-based SPI Dynamics, Michael Sutton, said Javascript's flexibility and power make it an increasingly common component of cyber attacks. He said people are always coming out with new tricks with JavaScript...