GOOGLE CHROME users are being warned of an alarming flaw in the web browser that could allow hackers to access your home WiFi network to steal your private data.
The cyber-attack takes less than a minute and can't even be stopped by a strong internet password, said cyber-security firm SureCloud.
To pull it off, all the hacker needs to do is get within range of your home WiFi while a device (like a laptop, smartphone, or tablet) is actively using the network.
The attack then uses the well-known Karma exploit to steal your network login information, taking just a minute to complete.
Meanwhile all the victim will see is a page popping up that looks like their WiFi router’s administrator menu.
Chrome (and other browsers powered by its Chromium open-source code) offer to save WiFi router admin page credentials and re-enter them automatically for users’ convenience.
How to protect your WiFi network – tips from a cyber-security expert
SureCloud's web security professionals explain how to lock down your home internet network....
- Only login to your Wi-Fi router for configuration or updating using a separate browser or Incognito browser session.
- Clear your browser’s saved passwords and do not save credentials for unsecure HTTP pages.
- Delete saved open networks and do not allow automatic reconnection to networks.
- Change pre-shared keys and router admin credentials as soon as possible. Use a separate or incognito browser session, for the configuration and choose a strong passphrase.
As most home routers do not use encrypted communications for management tasks, SureCloud's researchers were able to exploit this auto-fill process to both steal the router login details and use them to obtain the Wi-Fi network password with just "a single click required by the user for the attack to succeed".
The hacker could then gain access to your private folders, payment information and even plant malware (malicious software) on your device to keep snooping on your online activity.
The weakness applies to any browser based on the Chromium open source project, which develops the code for Chrome and other browsers such as Opera, Slimjet, and Torch.
After being warned of the exploit, Google reportedly responded saying that the browser feature was "working as designed" and that it does not plan to update it.
The Sun reached out to Google separately and will update this article with its response.
“There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing login credentials is leaving millions of home and business networks wide open to attack – even if those networks are supposedly secured with a strong password," said SureCloud’s cybersecurity practice director, Luke Potter.
“We believe this design issue needs to be fixed within the affected web browsers, to prevent this weakness being exploited. In the meantime, users should take active steps to protect their networks against the risk of being taken over.”