No cracking required: Browser flaw permits unauthorized WiFi access

Saved credentials and HTTP are a deadly combination, researchers warn

A strong password may not be enough to protect local WiFi networks due to a weakness in certain web browsers that can allow attackers to bypass networks via the saved credentials feature.

Researchers from cybersecurity firm SureCloud said that a combination of a browser’s autofill feature – which ensures users don’t have to repeatedly enter their login details – and an unencrypted HTTP connection could be exploited by a malicious actor in order to gain access to a network.

This means that an attacker could steal information or spread malware without having to crack any password – as long as a device is connected to the target network.

The attack predominately affects Google Chrome, but the researchers said Firefox, Microsoft Edge, and Safari could also be exploited with additional user interaction.

“Most browsers prompt users to save credentials automatically,” writes Elliott Thompson, a security consultant with SureCloud, in the company’s vulnerability report that was originally disclosed to Google on March 2.

“The main pre-requisites that lower the likelihood are Chromium usage and saved router credentials, but this will still affect a huge number of people.”

The vulnerability is easily exploited by utilizing a well-known WiFi hijacking attack vector called Karma – a malicious access point that impersonates a WiFi network a user has previously connected to.

Once Karma is delivered and a user has been redirected to an attacker’s page, the browser will automatically enter the saved credentials, if the autofill feature was turned on.

Thompson said: “Once the target device is successfully connected back to their original network, our page is sitting on the router admin interface’s origin with the admin credentials loaded into JavaScript.

“We then login using an XMLHttpRequest and grab the PSK or make whatever changes we need.”

SureCloud tested the exploit on home routers, but noted that any IoT device could be susceptible to the attack.

“Fundamentally this is just a flaw in the way origins are shared and trusted between networks,” said Thompson.

“The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft.”

Chrome responded immediately to SureCloud’s report, saying its browser was “working as designed”, with no further plans to update it.