A new attack called AutoSpill is capable of recovering usernames and passwords stored in managers. It does this at a specific time and without the user noticing.
Instead of directly steal money from your bank account or some cryptocurrenciesTHE hackers can target logins and passwords that you use to connect to different online services. A way to get into them while leaving fewer traces. To prevent someone from guessing your passwords, you have gotten into the habit of storing them in a password manager so that they are randomly generated And stored securely.
Unfortunately, as protected as they are, these programs are not foolproof. We remember that LastPass suffered two major cyberattacks after which the hackers left with the equivalent of 4.2 million euros. As if that wasn’t enough, researchers from theInternational Institute of Information Technology discovered a new type of attack called AutoSpill. Affecting the password managers on Androidit occurs at the moment when the app automatically completes login information.
AutoSpill attack steals usernames and passwords saved in certain managers
To understand, you need to know that most Android applications use WebView For display web content. For example, this allows you to see the login page for a service directly in the app, rather than being redirected in the browser. Android password managers also use WebView to automatically fill in credentials. This is where there is a flaw, and it can be exploited even without the hacker injecting JavaScript code to execute certain commands.
Read also – Android: 12 million users threatened with death and extorted by applications
AutoSpill takes advantage of the fact that Android does not define precisely (or cannot define) who is responsible for securing the data passing through during auto-completion. If attacked, a fake app displaying a login page could steal information without the user realizing it.
The teams tested Google Smart Lock, Dashlane, 1Password, LastPass, Pass, Keepass2Android And Keeper. Alone Google Smart Lock and Dashlane are not vulnerable to AutoSpill without Javascript injection. If there is one, everyone is affected. Spokespeople for 1Password, LastPass, Keeper Security and Google have indicated either that they are working on a fix or that they already have security in place against this type of attack.
Source: Bleeping Computer