Phone Reviews

Some mobile password managers could be leaking user credentials

1 Mins read

Some mobile password managers could be leaking users’ credentials thanks to an autofill susceptibility in some Android apps.

The problem, which has been cleverly labelled as ‘AutoSpill,’ can expose users’ saved passwords from mobile managers by evading Android’s secure autofill mechanism.

The unsavoury news comes from university researchers at the International Institute of Information Technology, Hyderabad, who presented their findings at a computer security conference event called Black Hat Europe.

The full study is extremely detailed, but the main problem is certain password managers become confused about where the user’s login information should be targeted when an app uses WebView, leading to credentials being exposed to the underlying app. WebView is a tool in Android for rendering webpages without going through a web browser, and is often used by apps to display login pages and other content without bouncing users out of the app and into Chrome or another browser.

One researcher on the project, Ankit Gangwal, says that the release of users’ credentials poses a significant security risk. “Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” said Gangwal.

Popular password managers such as Enpass, 1Password, LastPass and Keeper were tested for the AutoSpill vulnerability, with all showing signs of potential credential leakage.

Thankfully, Gangwal has alerted Google and the affected password managers to the susceptibility, with some of the companies already telling TechCrunch that they are looking for ways to solve the issue.

Further, the team of student researchers is currently looking into whether the vulnerability can be replicated on iOS. It’s also exploring scenarios in which attackers could extract credentials from the app to WebView.

Credential Manager, Google’s own password security program that works with apps like 1Password and Enpass, launched on November 1st.

Source: TechCrunch

Related posts
Phone Reviews

If you squint, it’s a computer

6 Mins read
Apple has a new iPad on the market, and its story is much the same as that of the M1 version from…
Phone Reviews

Asus Zenbook Duo (2025) Review: Still the two-screened king

4 Mins read
Asus refreshed its dual-screen laptop, the Zenbook Duo, this year with a new processor. Unfortunately, there isn’t much else the company did…
Phone Reviews

Apple officially delays personalized Siri Apple Intelligence feature

1 Mins read
While the biggest cheer at WWDC in 2024 was Apple showing off the new AI enhancements to Siri, that upgrade is now…

Leave a Reply

Your email address will not be published. Required fields are marked *