Vulnerability to Steal Password Managers

Hackers Use the AutoSpill Vulnerability to Steal Password Managers: IIIT Hyderabad

ByRajesh K H Updated on

Many social networking sites, banking networks, and email services have challenging passwords to remember.

We utilize the password management system or password managers to get around this. However, IIIT Hyderabad researchers have demonstrated that it is easy to obtain usernames and passwords from Android password managers.

Researchers from the International Institute of Information Technology (IIIT) Hyderabad unveiled AutoSpill, an unusual attack, at the Black Hat Europe 2023 London conference.

When the login page loads, these Android password managers employ the platform’s WebView framework to automatically input the user’s account credentials.

Malicious apps can access data from the password manager unnoticed due to a flaw in the Android WebView module, which is based on the Chrome browser and used to enter credentials in apps.

For example, if you connect to a music app using Google or Facebook, the web view system within that app will appear. It has also been discovered that when the autofill request is successful, credentials are disclosed to the app.

That is, if a password manager uses autofill to automatically input the access credentials, the login data can be entered into the data fields of the underlying app in WebView rather than the website.

In this situation, the app may simply read the login information, which should be placed on the login page within WebView.

Even if there is no phishing, any fraudulent application that asks you to log in through another site, such as Google or Facebook, can acquire access to important information.

The researchers put phones and tablets running Android 10, 11, and 12 to the test.

According to them, 1Password, Keeper, Enpass, Keepass2Android, and LastPass are vulnerable to AutoSpill vulnerabilities that do not need JavaScript injection.

Some password management systems, such as Google Smart Lock and Dashlane, do not support the AutoSpill option.

The researchers informed the Android security team and password manager developers of their findings. All of these issues may be addressed in a future release.

We hope you are interested in our articles and consider following our FacebookInstagram, and Twitter pages for regular updates.

Subscribe to our free newsletter to get similar articles and regular updates directly in your Email Inbox.

Also, share this article with your friends and relatives. Bookmark this page for future reference.

You May Be Interested to Read:

Rajesh is the founder and editor-in-chief of the Infobits website group. He graduated in EEE and has worked at several firms in India and abroad in the fields of electrical, electronics, and computer engineering. He distributes his industry and academic knowledge through many web resources, including Infobits.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *