hyderabad: Researchers at the International Institute of Information Technology, Hyderabad (IITH) have found that the ‘autofill’ feature in Android-based apps inadvertently leaked login credentials to some apps hosting web pages. and won an award.
The paper “AutoSpill: Credential Leakage from Mobile Password Managers” by Professor Ankit Gangwal and master’s students Shubham Singh and Abhijeet Srivastava recently won the Best Paper Award at the ACM Conference on Data And Application Security and Privacy (Codaspy) 2023. I received an award.
Research shows that when a user tries to log in to an app on the Android operating system (OS), the OS generates an autofill request to a password manager (PM).
According to the university’s announcement, the team discovered that whenever an app loaded a login page in a WebView, an autofill request was generated from that WebView.
The PM and mobile OS are then confused as to which page to enter login credentials.
The expected behavior is to set a login page on the WebView, but the app that loads the WebView may access sensitive information.
Explaining this process, Professor Gangwal says, “When you try to log in to a music app on your mobile device and use the ‘Log in via Google or Facebook’ option, the music app internally opens a Google or Facebook login page (i.e. , within the Music app) via WebView.
“When a PM is called to autofill credentials, ideally it should only autofill the Google or Facebook page that is loading. We now know that it can be exposed to an app, in this case a music app,” the professor added.
He also emphasized that even if you aren’t phishing, malicious apps that require you to log in through another site, such as Google or Facebook, can automatically access sensitive information.
“We notified Google and our password managers of this, and Google has since acknowledged the breach,” Gangwal said in a statement, adding that the consequences if the underlying app was malicious are terrifying. .
This post was last updated on October 18, 2023 at 11:05 AM.