O2, which as well as being a mobile phone company, is carving out a name for itself as a broadband supplier, following its acquisition of Be Internet two years ago. O2 has confirmed it is looking at the XSS security problem, which was raised by a reseacher - and one of its customers - saying he had spotted a design flaw.
Paul Mutton, a British security researcher and renter of the O2 Wireless Box III, claimed in his blog that he had revealed a vulnerability in the router which could potentially leave the device wide open to XSS forgery attacks.
He also suggested hackers would be able to view and change settings on the customer's modem and even steal the router's wireless encryption key due to teh XSS security flaw, even if the user had enabled a WPA2 setting.
The routers, which are customised versions of the Thomson TG585n, are also used by other service providers, Infosecurity notes.
O2 is unusual, however, in `hard coding' the routers to allow them to work out of the box when the user plugs the unit into the phone socket.
The ISP said it is taking the potential XSS security problem very seriously and is working with Thomson on a possible fix.