IIT Hyderabad: The International Institute of Information Technology (IIT) Hyderabad’s researchers revealed during a presentation at the Black Hat Europe security conference that the majority of Android password managers are susceptible to AutoSpill, even in the absence of JavaScript injection.
IIT Hyderabad’s big discovery
The IIT Hyderabad University researchers who found the vulnerability and presented their findings at Black Hat Europe this week have named it “AutoSpill,” and it can lead to the exposure of users’ saved credentials from mobile password managers by getting around Android’s secure autofill mechanism.
According to the researchers Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, password managers may become “disoriented” as to where to direct the user’s login information when an Android app loads a login page in WebView, exposing their credentials to the native fields of the underlying app instead. That’s because Google’s preinstalled WebView engine generates an autofill request and enables developers to show web content in-app without opening a web browser.
“When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app,” researcher Gangwal told TechCrunch.
How can hackers use it?
If the user is on WebView within an unknown or malicious app, then an attacker can successfully exploit AutoSpill. Moreover, if you’re using the primary Google account on your personal Android phone, autofill from password manager apps might not be necessary. Now that the creators of password management apps have acknowledged that there is a problem, the problem should soon be fixed.
Keep watching our YouTube Channel ‘DNP INDIA’. Also, please subscribe and follow us on FACEBOOK, INSTAGRAM, and TWITTER.