IIIT-H has revealed one of its research (by Way of Bleepingcomputer) at Lightless Hat Europe’s security conference, which proves that many passwords on Android are unable to protect the account details. These password manager can be hacked by hackers without an autospill attack without JavaScript injection. App in Android system usually uses webview controllers to show web content, such as login page within the app. This is done to improve the experience of users using small-screen devices. In this, log-in is made available on the same page without the need to send users to the browser.
Now how does it actually work? Let’s know When an app loads the page to log in to FB, Google or any other service, it is often seen that any password manager on Android already shows the credentials of that account on the sev and gives the option to submit. To do this, apps use the webview framework of the platform.
The report states that the Autospill attack takes advantage of the weaknesses in this process, allowing hackers to access auto-fill credentials on the Invocking app, even without JavaScript injection. This vulnerability arises from the failure of Android in implementing or clearly defined responsibility for safe handling of data filled data.
Researchers tested an autospable attack against various password managers on Android version 10, 11 and 12. The weak password manager included 1password 7.9.4, Lastpass 5.11.0.9519, Enpass 6.8.666, Keeper 16.4.3.1048, and Keepass2android 1.09C-R0. Google Canny Lock 13.30.8.26 and Daslane 6.2221.3 adopted a separate technical approach to autofil, in which until JavaScript injections are used, sensitive data leaks in the host app can be avoided.
Bleepingcomputer contacted all these apps to comment in this matter. In the case, Google also replied and said, “Webviews are used by Android developers in various ways, including hosting a login page for their own services. The problem is related to how the password managers take advantage of autofil API while interacting with webviews.”
The company further said, “We recommend that the third-party password managers should be sensitive to where the password is being input, and we have the best ways of webView that we recommend to apply all password managers. It also gives a legend to the difference between Android password managers and webviews. The webview being done is not related to the hosting app. “
Giving an example of this, Google said, “When using Google Password Manager for autofil on Android, users are warned that if they are entering a password for a domain that determines Google that the hosting app does not owe the hosting app and the password is filled in the appropriate field only. Google is only applied for the login. Is.”
Some other password managers have also responded to the website, which you can read in this report.
