AutoSpill, Android apps can steal passwords using WebView

During the conference Black Hat Europe taking place this week, Ankit Gangwal (International Institute of Information TechnologyIIIT) and his students, Shubham Singh and Abhijeet Srivastava, reported the discovery of a vulnerability called “car game” which may cause disclosure of users’ personal credentials Android.

The main password manager for Android they rely on the WebView component, integrated at the operating system level. WebView is a software component that allows you to embed web content within a mobile application. It provides an embedded browser within an app, allowing developers to view web pages or content directly within the application interface, without the need to launch a separate browser.

What is the AutoSpill attack and how does it work

When an Android app loads a login page using WebView, password managers can get confused by not recognizing the correct location to enter passwords. login information previously saved by the user. This behavior can lead to sensitive data, such as usernames and passwords, being inserted into native fields of the underlying app.

Let’s say you try to access your favorite music app through your mobile device and use the ‘Log in via Google or Facebook“said Gangwal of the research team. “If a password manager is invoked to autofill credentials, it should ideally only do so on Google or Facebook pages. However, the operation of automatic filling performed by the password manager, could expose credentials to the underlying app“. And this absolutely should not happen because it would mean handing over the passwords for Google, Facebook or other platforms to an unauthorized third party.

10 password managers for Android vulnerable to the AutoSpill attack

Gangwal confirms that the top ten password managers usable on Android devices were found to be vulnerable to car game. After discovering the problem, he and his team immediately took steps to contact software developers. Do they turn out? Either they received no response, or the developers shifted all responsibility to Android.

One of the few products that has demonstrated maximum collaboration, ensuring a timely resolution of the problem in question, is 1Password.

The risk is that malicious applications they can obtain user credentials without launching phishing attacks or using particular subterfuges. Apps developed for steal credentials users’ personal files, they can even remain on the Play Store for months and months, making it very difficult to reveal their malicious behavior. And, in this way, the probability of targeting a large number of unaware users is high.

The authors of the discovery note that password managers could mitigate risks of attack simply by associating the field for entering credentials (username and password) to the single domain name to which such data refers.

Gangwal, however, suggests that replacing passwords in favor of passkeys, based on the specifications of the FIDO Alliance and on the W3C WebAuthn standard, it could be the definitive solution. The passkeyin fact, presuppose explicit consent for each application or online service that uses it.

Opening image credit: Principe


Please enter your comment!
Please enter your name here