back to article Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password

Beware using your web browser's autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password. The problem – found by SureCloud's Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration …

  1. Joe W
    Pint

    Quite a faff...

    ... and not that probable to work (or maybe I am missing the point [1]?). Most home-used routers (should!) require authitification via WPA2 or somesuch, which is not handled by the browser.

    It would work in hotels, where you get some printed out key to connect to the hotel's wifi through an http website, true, and if the hotel is configured that way, you could then use up a person's data allowance - if there is one. However, I had some cases where the key is linked to the device's MAC, which can of course also be spoofed (did that once or twice, first connected the phone, then tried with the laptop, had to cahnge the MAC to connect...).

    What you could get this way is a person's password for their router. Which is of limited help, because the router sits on a wifi network that is (ok, should be...) secured by other means (WPA2...). Unless, of course, you rebuild the complete router admin website and then ask the user to fill in their broadband access code in there. This would require to know which kind of device the target has (some routers advertise it in the SSID, and you could also find out the manufacturer from the MAC). Quite a faff, indeed....

    [1] we are missing a caffeinated-beverage-icon, so I chose a beer instead...

    1. A.P. Veening

      Re: MAC address

      "However, I had some cases where the key is linked to the device's MAC, which can of course also be spoofed (did that once or twice, first connected the phone, then tried with the laptop, had to cahnge the MAC to connect...)."

      Tethering is easier and recharges your phine at the same time, still remember the surprise from a hotel about the amount of data my phone sent and received of the wifi ;)

  2. John Smith 19 Gold badge
    Unhappy

    "It would work in hotels,"

    This is clearly not a casual attack.

    So professional crims looking to harvest high value targets creds in expensive hotels might find it quite useful.

    Likewise anyone else who's a paid spy might find it useful. Not necessarily a go to approach, but in the toolkit.

    Maybe the takeaway is "Autofill is not a good idea for login details" ?

    1. Jack of Shadows Silver badge

      Re: "It would work in hotels,"

      As are logging into open networks or allowing autoconnect to any network. That's the two show stoppers here. It'd have to be a really unusual set of circumstances to see me using those. As to Chrome, it gets my GMail from my second oldest account and logs into my banking and that's it. I'm being selective around what Google and Microsoft see on my end. Chrome did need an update, now fixed.

    2. oiseau Silver badge
      WTF?

      Maybe?

      Maybe?

      Maybe the takeaway is "Autofill is not a good idea for login details anything" ?

      There you go, fixed it.

      Cheers,

      O.

      1. Anonymous Coward
        Anonymous Coward

        Re: Maybe?

        Maybe the takeaway is "Autofill is not a good idea for anything" ?

        Yes, I know - everyone here uses a password manager secured by passphrase long enough to produce a short novel, and generating 24-character random alphanumeric+symbol passwords that never touch the clipboard but are entered by hand using a randomised-layout keyboard.

        Meanwhile the average person has to get on with their life, and for them using autofill with complex passwords is a hell of a lot better than "password123" for every login page they have to deal with.

  3. Anonymous Coward
    Anonymous Coward

    This is old hat

    The WiFi pineapple has a module for this.

    Its a MITM attack.

    Nothing new here.

  4. JJKing Bronze badge
    Facepalm

    Oh dear.

    Maybe it's the meds I am currently taking or that I am a complete numpty (personally I'd go with the latter), but they have to be inside your network to start with unless they get in via some other infection you've picked up. Then they would need to enable Remote Administration on the router so they can get access from anywhere rather than be in local Wi-Fi range.

    Well then just to be sure, I am upscaling my password security to Password1234.

    1. expreg

      Re: Oh dear.

      They can copy your network SSID and create an "Evil Twin." Then spam you with deauth frames, and then spam you with broadcast advertisements carrying that SSID. I've done it at home for shits and giggles (to my own devices, obviously).

      Someone mentioned the Wi-Fi Pineapple which has all of this built in. It's easy to do without one.

      Protected Management Frames (802.11w) can protect against the deauth spam, but I'm not sure many home telco routers use that.

      But yeah, I turned off auto-fill ages ago.

  5. John Crisp

    Autofill

    Why on earth is it ever allowed?

  6. Claptrap314 Bronze badge
    Facepalm

    https everywhere?

    Why on earth would you use http for the admin interface on anything? For crying out loud, I'm no sysadmin for anything, but that's just ridiculous.

    Oh, wait. Which article am I responding to? Umm... Well, yeah. Same, song, next verse. Otta get better, but it's gonna get worse.

    We need a mass facepalm icon.

  7. David Roberts Silver badge
    Paris Hilton

    Does this apply to home networks?

    Assuming your home network is reasonably secured, then the attacker can't directly get on.

    The attacker can boot you off onto their spoof network using deauth.

    They then get their web page (with dodgy code) into your browser and flip you back onto your own network.

    At this point their dodgy code is inside your secure network and is phishing for your admin credentials, intending to open up external access via remote admin, or to get credentials to join your secure network.

    This seems similar to (spear?) phishing. Getting the user to enter credentials into a dodgy web page.

    The point at which this seems unlikely is the same as with a phishing attack from an external web site. If you were browsing the Internet and suddenly you got a web page asking you to log onto your router as admin, would you?

    Or is this saying that if you have autofill enabled then a hidden web page could perform the login without anything being visible? For the specific example of being flipped onto a spoof network and back is any user interraction required?

    Totally confused now. If no user interraction is required then this is far easier to do with an infected web page or advert than through attacking the wireless network from somewhere nearby.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019