Many social networking sites, banking networks, and email services have challenging passwords to remember.
We utilize the password management system or password managers to get around this. However, IIIT Hyderabad researchers have demonstrated that it is easy to obtain usernames and passwords from Android password managers.
Researchers from the International Institute of Information Technology (IIIT) Hyderabad unveiled AutoSpill, an unusual attack, at the Black Hat Europe 2023 London conference.
When the login page loads, these Android password managers employ the platform’s WebView framework to automatically input the user’s account credentials.
Malicious apps can access data from the password manager unnoticed due to a flaw in the Android WebView module, which is based on the Chrome browser and used to enter credentials in apps.
For example, if you connect to a music app using Google or Facebook, the web view system within that app will appear. It has also been discovered that when the autofill request is successful, credentials are disclosed to the app.
That is, if a password manager uses autofill to automatically input the access credentials, the login data can be entered into the data fields of the underlying app in WebView rather than the website.
In this situation, the app may simply read the login information, which should be placed on the login page within WebView.
Even if there is no phishing, any fraudulent application that asks you to log in through another site, such as Google or Facebook, can acquire access to important information.
The researchers put phones and tablets running Android 10, 11, and 12 to the test.
Some password management systems, such as Google Smart Lock and Dashlane, do not support the AutoSpill option.
The researchers informed the Android security team and password manager developers of their findings. All of these issues may be addressed in a future release.
Subscribe to our free newsletter to get similar articles and regular updates directly in your Email Inbox.
Also, share this article with your friends and relatives. Bookmark this page for future reference.
You May Be Interested to Read:
- Users of Apple and Samsung Should Be Cautious; Warning from CERT-In
- Google’s New Passkey Support Allows You to Sign in Without a Password
- How to Protect Your Bank Account from Hackers?
- What Is Deepfake Technology and How Can Spot It?
- Chinese Malware, ‘Horse Shell’, Is a Threat to Home and Office Routers