A researcher working at cyber security firm SureCloud has identified a weakness in Google Chrome which lets hackers access home networks and wreak havoc
A weakness in Google Chrome password protection and its connection to millions of home WiFi routers has been uncovered by a researcher at cyber security company SureCloud.
Elliott Thompson identified how hackers can exploit the way in which the Chrome browser handles saved passwords to get control of WiFi networks, steal data from PCs and connected devices, or plant malware.
Reportedly, they need only be within the WiFi router’s range and a connected device, and have the router’s log-in details saved, which they can apparently access within one minute due to the fact that Chrome-based browsers save them on a vulnerable administration page for their convenience.
SureCloud’s cybersecurity practice director Luke Potter said: “There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing log-in credentials is leaving millions of home and business networks wide open to attack – even if those networks are supposedly secured with a strong password.”
“We believe this design issue needs to be fixed within the affected web browsers, to prevent this weakness being exploited.
“In the meantime, users should take active steps to protect their networks against the risk of being taken over.”
Weakness in Google Chrome applies to multiple browsers and routers
The vulnerability found by SureCloud applies to any browser based on the Chromium open source project, which includes Google Chrome, Opera, Slimjet and Torch.
Wi-Fi routers which can be exploit include those from multiple providers including ASUS, NETGEAR, D-Link and Belkin.
SureCloud has provided steps to take to secure networks against hackers, which involve the following:
- Only log-in to your WiFi router for configuration or updating using a separate browser or incognito browser session
- Clear your browser’s saved passwords and do not save credentials for unsecure pages
- Delete saved open networks and do not allow automatic reconnection to networks
- Change pre-shared keys and router admin credentials as soon as possible. Use a separate or incognito browser session, for the configuration and choose a strong password.
The company released its findings to the public today, but responsibly disclosed its research to the Chromium project on 2 March this year.
Chromium responded the same day, saying that the browser feature was “working as designed” and does not plan to update the feature.