Loopholes in Chrome enable Hackers Break Into WiFi Routers
Surecloud, a cybersecurity firm has released a report about a Google Chrome, Chromium, Opera, Vivaldi and other Blink-engine based browsers’ unpatched flaw that enables cybercriminals to penetrate the home wifi networks of unsuspecting users. Eliot Thompson, a Surecloud researcher, upon checking Chrome’s behavior as found a flaw on how the browser implements its saved password feature and the user’s bad habit of using the same password across many services, including the password for the Wi-Fi router’s configuration page. Google-based browsers have an inherent flaw of offering users to save passwords for sites, which include wi-fi configuration page, which is normally using an unencrypted http:// URL.
The password manager that came with Chrome saves not only passwords but also other information submitted in a web form. This can include anything from a name, address, birthdate and any personally identifiable information as demanded by a sign-up form. At the moment the home routers affected by the flaw include known mainstream brands like Belkin, Asus, and Netgear. Routers from other vendors are still being checked for the existence of the vulnerability to the Google Chrome exploit, but the common understanding is any router that uses plain http unencrypted wi-fi configuration page is affected. There is no way to change the behavior unless the router vendor issues a new firmware that will change the wi-fi configuration page to a TLS-encrypted URL.
“There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing login credentials is leaving millions of home and business networks wide open to attack — even if those networks are supposedly secured with a strong password. We believe this design issue needs to be fixed within the affected web browsers, to prevent this weakness being exploited. In the meantime, users should take active steps to protect their networks against the risk of being taken over,” said Luke Potter, Surecloud’s Cybersecurity Practice Director, who accompanied Thompson with the research.
Google on their part dismissed Surecloud’s research saying that the behavior is by design and not a bug nor a security issue. However, Google has been engaging to doublespeak as its company representative also said: “Security is a core tenet of Chrome, and we are committed to providing our users with a secure web experience. We appreciate the security community for working with us to bring any concerns to our attention. We’ll study this closely and see if there are improvements to make.”
Surecloud has advised home users never save the Wi-fi password in Chrome, in order not to be cached by the browser. They are also recommending users to use Incognito mode, in order to suppress the prompt for saving passwords. The Incognito mode also automatically deletes the cache when the user exits the browser, which automatically removes user data from the hard drive and memory.
Users should take advantage of the visual clues in the Chrome’s Address Bar, as it provides a warning if a login page is in an unencrypted state instead of a TLS-encrypted webpage