Starlink Dishy is vulnerable to CSRF via DNS Rebinding.

Disclosed by
BoBdoduk
  • Engagement SpaceX/Starlink
  • Disclosed date 8 months ago
  • Reward $7,500
  • Priority P2 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by SpaceX/Starlink

This CSRF vulnerability allowed JavaScript on 3rd party websites to reach unauthenticated features (ex: reboot, stow, speedtest) on all generations of Dishy and the Starlink Router when a malicious website is loaded from a device connected via Starlink. Features requiring authentication (ex: changing WiFi passwords, adding a repeater, etc.) were not affected.

This vulnerability was patched in both the Starlink WiFi Router and Dishy in December 2023. Dishy and the router update automatically, so no user action is required.

Summary by BoBdoduk

Starlink Dishy (Gen 2) and Starlink Router (Gen 2) are vulnerable to DNS rebinding attacks.
Therefore, by following a malicious link created by an attacker, a remote attacker can take control of a Starlink device on the local network.

Activity