Home networks and private users who leave default passwords on network hardware unchanged are at increased security risk.

Security experts created an attack that redirects users to malicious sites once they hit a booby-trapped webpage that could compromise system's security by exploiting default passwords that have been left unchanged. The survey shows that round 50% left their passwords unchanged.

The attack has been written by security researchers from Symantec and University of Indiana. In a recently published paper they give a detailed description how to exploit default router passwords many private network users operate to share their broadband connection at home. Routers' configuration could be accessed and altered by using an administrative password that the vast majority of users never have changed.

The research shows that a booby-trapped website could use JavaScript code to access a router using default passwords to change its settings.

By changing for example DNS configuration hackers could make it divert users' connections to fake websites or email addresses. This could be fake banking, government or email websites which could be used for collecting sensitive information like account names and passwords.

This could lead to the phenomenon of pharming, which is a wholesale phishing – a large-scale theft of sensitive information.

It is highly recommended to change default administrative password on Internet-facing router devices to prevent this attack.