You need to watch the video again. Starting at 1:20 he mentions logging in using the default admin credentials.
He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.
But even without an XSS exploit you can make cross-domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.
The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.
He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")
He's using an XSS vulnerability in the router admin interface to execute JavaScript on the router's pages, so he can use JavaScript to do pretty much anything the user can do.
But even without an XSS exploit you can make cross-domain POSTs using forms, and GETs using IMG or SCRIPT tags. You just can't get the response, so it's not suitable for this attack where you need to get the MAC address out.
The "Drive-by Pharming" mentioned in the link I posted used the latter technique, because all it needs to do is POST some form that tells the router to update the DNS settings, it doesn't need the response.
He actually mentioned that technique in the video, but sort of glossed over it (right before "now, this isn't necessary in our geolocation XXXSS attack")