Google resolves browser vulnerability, positive response wins praise


Oh, no. Never comforting to read of login thefts of any sort and it is small wonder that a security sleuth made news when he discovered an issue with Chrome. Once again, the price of convenience becomes a topic, this time in the offer to save Wi-Fi credentials and re-enter them automatically for your convenience.

A Chrome browser issue was described earlier this month which could have left a door open for hackers. The good news is that the security glitch in the popular browser was resolved; Google fixed the vulnerability.

The problem involved credentials auto-filled on unencrypted HTTP pages. SureCloud delivered the subsequent news that the latest update of Chrome (tested against version 69.0.3497.81) addressed the issue. The latest version of the Chrome browser, version 69, has been released and it carried the patch.

ZDNet security reporter Catalin Cimpanu said it had been "a design issue" that attackers could exploit to steal the WiFi logins, whether from home or from corporate networks.

BetaNews quoted Luke Potter, SureCloud's cybersecurity practice director. "There is always a trade-off between security and convenience, but our research clearly shows that the feature in web browsers of storing login credentials is leaving millions of home and business networks wide open to attack—even if those networks are supposedly secured with a strong password."

Elliot Thompson, a researcher with UK cyber-security firm SureCloud, had put together a technique exploiting the design issue, said Cimpanu. Thompson's "Wi-Jacking" worked with Chrome on Windows.

"During a recent engagement we found an interesting interaction of browser behaviour and an accepted weakness in almost every home router that could be used to gain access a huge amount of WiFi networks," said Thompson's SureCloud post on September 4.

The browser behavior related to saved credentials. Credentials saved in a browser, tied to a URL, are automatically inserted into the same fields when seen again. The router weakness was in the use of unencrypted HTTP connections to management interfaces. Thompson, though, said there was a solution for this path to credential-theft and he discussed it in his September 4 post.

"Fundamentally this is just a flaw in the way origins are shared and trusted between networks. In the case of home routers, they are predictable enough to be a viable target. The easiest solution would be for browsers to avoid automatically populating input fields on unsecured HTTP pages. It is understandable that this would lower usability, but it would greatly increase the barrier to credential theft."

At the time, Thompson recommended to "Clear your 's saved passwords and don't save credentials for unsecure HTTP pages."

"Thompson says he reported the issue to Google, Microsoft, and ASUS in March, this year," said Cimpanu. "Google addressed his report by not allowing Chrome to auto-fill passwords on HTTP fields."

In addition to Chrome, are other browsers vulnerable? "Firefox, IE/Edge and Safari require significant user interaction, so attack does work, but is more of a social engineering based," said Thompson on September 4. "With Chrome it is significantly more seamless."

The usual advice applies: Update. Cimpanu wrote, "Updating to Chrome 69.0.3497.81 or later should keep users safe from Wi-Jacking attacks."

Commenting on Google's addressing the issue, Thompson said, "This is a positive response from Google and is great to see."

Explore further

New Chrome browser ready for the world

More information: … utm_content=76704482

© 2018 Tech Xplore

Citation: Google resolves browser vulnerability, positive response wins praise (2018, September 7) retrieved 20 July 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Sep 07, 2018
Not heard of this, google chrome updates manually in help

Sep 07, 2018
I have seen recently that Google introduced some changes in their algorithm and a new one is coming also. I am worried about my hp customer assistant website. I hope the new update will not affect my website.

Oct 08, 2018
Printing was introduced long back in the 15th century and now it has been developed in many ways. With the growing number of technology, there has been a growth in the printing devices. In this modern era, a printer has become everyone's need.

Oct 21, 2018
A Web browser developed by search engine giant Google, is used by about 20 percent of desktop Internet users, according to Net Market share. The browser promises lightning fast startup, loading and Web searches with an easy-to-use interface.
For kaspersky support number support visit:

Oct 21, 2018
If you're experiencing any of those Chrome problems, you've come to the right place https://avastsupp...upport/. We're going to show you how to troubleshoot and resolve common Chrome problems that make you feel like Google hates Macs.

Oct 22, 2018
The Chrome Browser has become the more secure after the Google updates. Now the hackers cannot access the user's information Via the Chrome Browser so it is the great news. I was getting the issue in my laptop regarding security then helped me a lot.

Oct 22, 2018
The router weakness was in the use of unencrypted HTTP connections to management interfaces. For more details about epson printer error code 0x97 just go to

Oct 23, 2018
If you're experiencing any of Chrome problems, you've come to the right place. We're going to show you how to troubleshoot and resolve common Chrome problems that make you feel like Google hates Macs. To know more, visit - https://macsuppor...ecovery/

Nov 05, 2018
Google Chrome is the best browser so far. It provides the required security to its users. As the product belongs to Google it is supposed to be very good. If you happen to run into any printer related issues visit

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more