IIIT Hyderabad discovers Android apps may leak login information
By MYBRANDBOOK
Researchers from IIIT Hyderabad discovered that Android apps that use autofill, reveal login information to the hosting app. On Android systems, a vulnerability caused by password managers' uneven processing of autofill requests might result in the theft of sensitive data. Both Android and password managers are at blame for the credential AutoSpill.
The researchers lead by Prof. Ankit Gangwal from the Centre for Security, Theory and Algorithmic Research (CSTAR), IIIT-Hyderabad, found that every time an app loads a login page in WebView, an autofill request is generated from that WebView, the password managers and mobile operating system get disoriented about the target page for filling in the login credentials.
While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information. Prof. Gangwal said when a user tries to login to a music app on the mobile device via Google or Facebook, the music app will open Google or Facebook login page inside itself i.e., within the music app via the WebView
“When the password manager is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app,” Prof. Gangwal explained.
He emphasized that even without phishing, any malicious app that asks login via another site, can automatically get access to sensitive information.
The findings, which will be presented at BlackHat Europe 2023 conference in December, concluded that both the Android system and the password managers are equally responsible for the credential AutoSpill.
The latest version of X helps prevent deepfakes on social medi
To combat deepfakes and shallowfakes, Elon Musk revealed a new update t...
India and Namibia collaborate on a payment system similar to U
Once operational, the platform will enable digital transactions in Namibia,...
Sebi issues show-cause notices to six Adani group firms
Sebi issued show-cause notices to six Adani Group firms, including Adani ...
Microsoft to build a new data centre to support Thailand's tec
Microsoft has revealed intentions to construct a regional data centre as w...
LENOVO GROUP LTD.
TP-LINK INDIA PVT LTD.
ATRIE TECHNOLOGY PVT. LTD.
MICROTEK INTERNATIONAL PVT. LTD.
Technology Icons Of India 2023: Dilip Asbe
Dilip Asbe is the MD & CEO of National Payments Corporation of India (...
Technology Icons Of India 2023: Sridhar Vembu
Sridhar Vembu is an Indian billionaire business magnate and the Founde...
Technology Icons Of India 2023: Deepinder Goyal
Deepinder Goyal is the Founder and CEO of Zomato. Deepinder, or Deepi,...
RailTel connecting every corner of India
RailTel is an ICT provider and one of the largest neutral telecom infr...
TCIL continues to strengthen India with its technology expertise
TCIL undertakes consultancy & turnkey projects in the field of Telecom...
INDIANOIL helps reach precious petroleum fuels to every nook and corner of the country
IndianOil, a diversified, integrated energy major with presence in alm...
B D SOFTWARE
BD Software is the distributor of IT security solutions in India. The ...
R P TECH INDIA
R P Tech is recognized for its diverse products portfolio, value-add...
SAVEX TECHNOLOGIES PVT. LTD.
Savex Technologies is the 3rd largest Information & Communication Tec...