First it's important to verify that the browser you are using is not caching the User credentials making you ("Think") there is no requirement to use a User Id and Password for CGI commands like get_params.cgi. You can test this theory by purging your browser cache and trying the CGI command again to verify that in fact your current firmware has a security vulnerability.
Additionally. It would be a good idea to make sure that your browser is NOT using stored user credentials for your IP Cameras. By both its local IP Address and DDNS/WAN IP Address.
This is why. If you are going to personally use an unsecure Internet connection to access your MJPEG based IP Camera or you are going to allow someone else to access your MJPEG based IP Cameras remotely using HTTP access methods. It's best to use additional security methods, to protect yourself.
You can for example. Take your most trustworthy friends or family members whom you allow to access your IP Camera over an unsecure Internet connection and because the MJPEG based IP Camera in most cases only support unsecure HTTP access. You become "Screwed
Not really because this trustworthy friend or family member was trying to hurt you in any way. But because they don't realize that the HTTP protocol is not secure.
Because of this. I suggest using additional security methods like this for remote access to MJPEG based IP Cameras or any IP Camera which only supports HTTP access methods or is using HTTP Access methods for remote access.
While it does require access to a web server. It's worth it IMHO. In todays time you can run/operate your own ("Not shared") web server with a unique IP Address. Without any requirement to create a domain name, for as little as $5.00 U.S. a month example
. Which most likely you could use at minimum for FTP alarm notification snapshots and/or video recordings for your IP Camera:http://foscam.us/forum/showing-secure-methods-using-php-to-display-your-ip-cameras-t8721.html
At least you know that whatever firmware vulnerability may "Crop Up" with your IP Camera won't ever expose your IP Camera or data in your IP Cameras configuration to be abused by others.
Sadly. I know of many IP Camera owners that own IP Cameras that support HTTPS access methods. Yet they or their friends and family members always only use unsecure HTTP access methods to access their IP Cameras remotely. True insanity. IMHO. If your IP Camera supports HTTPS access methods you should disable remote HTTP access methods to your IP Camera and exclusively use HTTPS access to access your IP Camera remotely. Even that won't stop a man-in-the-middle attack. But it's much more safe and secure then remote HTTP access to your IP Camera.
Usually. It's someone like you who finds a flaw in a specific IP Camera firmware version and then everyone worldwide is on a hunt for IP Cameras like yours to abuse them ASAP.
As you stated. What's worse is that people can in cases like yours also DUMP
any Email and FTP User credentials anonymously
("See below"). Allowing them to take over and/or destroy those accounts, as well. So, this is not simply about someone being able to move your IP Camera around or view your IP Camera.
It's also about someone/others potentially taking over your Email and FTP/Website accounts as well! What they could do after doing so. I will leave to your imagination of what a worse case scenario afterwards, would be.
One last and final point about this is. Because the get_params.cgi request is a short term connection request to your IP Camera. As are virtually all/most other CGI requests to the IP Camera. It's NOT LOGGED in your IP Cameras access log information
. Meaning that you can't even tell if someone/others has/have used it.
Try it again. Then check your IP Cameras access log. You will see there is no IP Camera access log entry that someone/others DUMPED
the complete configuration data of your IP Camera. Including any Email and FTP User Credentials.
So. If you ever wanted to be a twin brother or sister. This is one way to "instantly" create your twin(s) with potentially some severe financial ramifications, while doing so!
While it might be possible that someone can/could stumble on the open port on your local network for your IP Camera and gain access to your IP Camera that way. Assuming that the port you picked for your IP Camera is not a standard port. It's much more probable that others will learn the DDNS/IP Address, Port and User credentials for your IP Camera while you or someone you allow is using an unsecure Internet connection using HTTP access methods to access your IP Camera remotely. This is why the additional security methods can be and are very helpful in cases like yours.
While these additional security measures don't currently support the full blown camera interface. They are better then remote HTTP access and they can be modified and customized by you as well.