If you’re one of those who save and store your mobile passwords using services like LastPass, 1Password or Keeper, Androidthen you will have to be very careful as the security vulnerability may put your mobile phone at risk.
vulnerabilitycalled “AutoSpill,” can reveal stored credentials of mobile password manager users by bypassing Android’s secure autofill mechanism, according to researchers from IIIT University Hyderabad, who discovered the vulnerability and presented their research at the Black Hat Europe conference this week.
Researchers Ankit Gangwal, Shubham Singh and Abhijeet Srivastava found that when an Android app loads a WebView login page, password managers can be “misleading” about where they should point the user’s login credentials, and they instead reveal your credentials. in their own words, the base application’s own fields. This is because WebView, Google’s pre-installed engine, allows developers to display web content in an app without launching a web browser by generating an autocomplete prompt.
“Let’s say you’re trying to log into your favorite music app on your mobile device and you use the ‘sign in with Google or Facebook’ option. The music app will open the Google or Facebook login page via WebView,” Gangwal told TechCrunch.
“When a password manager is invoked to autofill credentials, ideally it should only autofill on a loaded Google or Facebook page. “But we discovered that the autofill operation could inadvertently expose credentials to the underlying application.”
Gangwal notes that the impact of this vulnerability, especially in a scenario where the underlying application is malicious, is significant. He added: “Even without phishing, any malicious app that asks you to log in through another site, such as Google or Facebook, can automatically gain access to sensitive information.”
The Keeper platform said it “protects users from autofilling credentials in an untrusted app or site that has not been explicitly authorized by the user” and recommended that the researcher submit their report to Google “as it specifically relates to Android.” Platform.
Source: Digital Trends
