Surecloud, a cybersecurity firm has released a report about a Google Chrome, Chromium, Opera, Vivaldi and other Blink-engine based browsers’ unpatched flaw that enables cybercriminals to penetrate the home wifi networks of unsuspecting users. Eliot Thompson, a Surecloud researcher, upon checking Chrome’s behavior as found a flaw on how the browser implements its saved password feature and the user’s bad habit of using the same password across many services, including the password for the Wi-Fi router’s configuration page. Google-based browsers have an inherent flaw of offering users to save passwords for sites, which include wi-fi configuration page, which is normally using an unencrypted http:// URL.
The password manager that came with Chrome saves not only passwords but also other information submitted in a web form. This can include anything from a name, address, birthdate and any personally identifiable information as demanded by a sign-up form. At the moment the home routers affected by the flaw include known mainstream brands like Belkin, Asus, and Netgear. Routers from other vendors are still being checked for the existence of the vulnerability to the Google Chrome exploit, but the common understanding is any router that uses plain http unencrypted wi-fi configuration page is affected. There is no way to change the behavior unless the router vendor issues a new firmware that will change the wi-fi configuration page to a TLS-encrypted URL.