These companies complete disregard for standard security is incredibly alarming. How are the programmers working on this software (which is hugely complicated) missing something as obvious as CSRF protection?
To put this kind of attack in perspective by not having CSRF tokens it is possible for you to open a website in your browser which makes requests to your router by leveraging your browsers Javascript engine and the fact you're on the same network as your router. CSRF tokens should be inserted into all submit forms on the user interface of the router and rotated on each login so that they're unique so that attacking websites cannot create a valid form that the router will accept.
This is very basic stuff, almost the most basic protection imaginable when creating any kind of web application be it banking, e-shopping, forum message sending etc - For them to miss this giant glaring issue is honestly shocking beyond belief considering they are selling millions of routers.
Like I could literally make a website with some hidden javascript you cant see and post the link to you and take over your router. Brick it, open port numbers, lock out computers.. anything I want. Totally ridiculous.
Even my Minecraft website I wrote that has online auctions and shopping for virtual goods (using made up monopoly money, not real money) has CSRF protection so attackers cant steal my players cash or items through attacks like these.
