Chrome hack warning over new WiFi attack that lets hackers steal your private info
A gaping flaw in your home internet network could be exploited via Google Chrome's auto-fill process, cyber-security experts have found
GOOGLE CHROME users are being warned of an alarming flaw in the web browser that could allow hackers to access your home WiFi network to steal your private data.
The cyber-attack takes less than a minute and can't even be stopped by a strong internet password, said cyber-security firm SureCloud.
To pull it off, all the hacker needs to do is get within range of your home WiFi while a device (like a laptop, smartphone, or tablet) is actively using the network.
The attack then uses the well-known Karma exploit to steal your network login information, taking just a minute to complete.
Meanwhile all the victim will see is a page popping up that looks like their WiFi router’s administrator menu.
Chrome (and other browsers powered by its Chromium open-source code) offer to save WiFi router admin page credentials and re-enter them automatically for users’ convenience.
How to protect your WiFi network – tips from a cyber-security expert
SureCloud's web security professionals explain how to lock down your home internet network....
- Only login to your Wi-Fi router for configuration or updating using a separate browser or Incognito browser session.
- Clear your browser’s saved passwords and do not save credentials for unsecure HTTP pages.
- Delete saved open networks and do not allow automatic reconnection to networks.
- Change pre-shared keys and router admin credentials as soon as possible. Use a separate or incognito browser session, for the configuration and choose a strong passphrase.
As most home routers do not use encrypted communications for management tasks, SureCloud's researchers were able to exploit this auto-fill process to both steal the router login details and use them to obtain the Wi-Fi network password with just "a single click required by the user for the attack to succeed".
The hacker could then gain access to your private folders, payment information and even plant malware (malicious software) on your device to keep snooping on your online activity.
The weakness applies to any browser based on the Chromium open source project, which develops the code for Chrome and other browsers such as Opera, Slimjet, and Torch.
After being warned of the exploit, Google reportedly responded saying that the browser feature was "working as designed" and that it does not plan to update it.
In a statement provided to The Sun, a Google spokesperson said it is investigating the issue.
"Security is a core tenet of Chrome and we are committed to providing our users with a secure web experience," said the firm.
"We appreciate the security community for working with us to bring any concerns to our attention. We’ll study this closely and see if there are improvements to make.”
Google has taken a bunch of measures to alert users when they visit an unencrypted HTTP website, including warning labels in Chrome's address bar.
As a result, the majority of sites have switched to more secure HTTPS – over 76 percent of Chrome traffic on Android is protected and 85 percent is safer on Chrome OS and Mac, while 83 of the top 100 sites on the web use HTTPS by default.
“There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing login credentials is leaving millions of home and business networks wide open to attack – even if those networks are supposedly secured with a strong password," said SureCloud’s cybersecurity practice director, Luke Potter.
Most read in tech
“We believe this design issue needs to be fixed within the affected web browsers, to prevent this weakness being exploited. In the meantime, users should take active steps to protect their networks against the risk of being taken over.”
We pay for your stories! Do you have a story for The Sun Online news team? Email us at tips@the-sun.co.uk or call 0207 782 4368 . We pay for videos too. Click here to upload yours.