IIIT Hyderabad discovers Android apps may leak login information
By MYBRANDBOOK
Researchers from IIIT Hyderabad discovered that Android apps that use autofill, reveal login information to the hosting app. On Android systems, a vulnerability caused by password managers' uneven processing of autofill requests might result in the theft of sensitive data. Both Android and password managers are at blame for the credential AutoSpill.
The researchers lead by Prof. Ankit Gangwal from the Centre for Security, Theory and Algorithmic Research (CSTAR), IIIT-Hyderabad, found that every time an app loads a login page in WebView, an autofill request is generated from that WebView, the password managers and mobile operating system get disoriented about the target page for filling in the login credentials.
While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information. Prof. Gangwal said when a user tries to login to a music app on the mobile device via Google or Facebook, the music app will open Google or Facebook login page inside itself i.e., within the music app via the WebView
“When the password manager is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app,” Prof. Gangwal explained.
He emphasized that even without phishing, any malicious app that asks login via another site, can automatically get access to sensitive information.
The findings, which will be presented at BlackHat Europe 2023 conference in December, concluded that both the Android system and the password managers are equally responsible for the credential AutoSpill.
Singapore to remove One-Time Passwords from Bank Accounts
According to the Monetary Authority of Singapore, clients who utilise secur...
Is 375 million Airtel subscribers database breached?
When a hacker claims to have accessed and put up for sale a customer databa...
The government of India intends to construct a single portal f
A single portal will be launched by the Indian government to list all of it...
OpenAI offers GPT-4o, a faster model available to all users at
GPT-4o, a faster and more sophisticated AI model, is made available to all...
Icons Of India : ALOK OHRIE
Alok Ohrie leads Dell Technologies’ India business, overseeing Sales...
Icons Of India : B.V.R. Subrahmanyam
A 1987 batch (Chhattisgarh cadre) Indian Administrative Service Office...
Icons Of India : Arjun Malhotra
Arjun Malhotra, the Chairman of Magic Software Inc., is widely recogni...
NPCI - National Payments Corporation of India
NPCI is an umbrella organization for operating retail payments and set...
BSE - Bombay Stock Exchange
The Bombay Stock Exchange (BSE) is one of India’s largest and oldest...
DRDO - Defence Research and Development Organisation
DRDO responsible for the development of technology for use by the mili...
Indian Tech Talent Excelling The Tech World - Sanjay Mehrotra, CEO- Micron Technology
Sanjay Mehrotra, the President and CEO of Micron Technology, is at the...
Indian Tech Talent Excelling The Tech World - Aman Bhutani, CEO, GoDaddy
Aman Bhutani, the self-taught techie and CEO of GoDaddy, oversees a co...
Indian Tech Talent Excelling The Tech World - Anirudh Devgan , President, Cadence Design
Anirudh Devgan, the Global President and CEO of Cadence Design Systems...