HYDERABAD: Are you one of those who relies on password managers (PMs) for creating and helping remember passwords? Then beware, especially if you use PMs on your mobile devices.
A team of researchers from Indian Institute of Information Technology at Hyderabad (IIITH) has found a serious vulnerability in the autofill function of Android-based apps as it accidentally leaks login credentials to apps hosting the web pages, exposing the user to potential malicious attacks.
The researchers, led by IIITH Prof Ankit Gangwal and MTech students Shubham Singh and Abhijeet Srivastava, who have rechristened this flaw as AutoSpill, found that when you try to log into an app on an Android Operating System (OS), the OS itself generates an auto filling request to the PM by acting as an intermediary between the apps.
“Every time an app loads a login page in WebView, and an autofill request is generated from that WebView, the PMs and the mobile OS get disoriented about the target page for filling in the login credentials. While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information,” said Prof Gangwal.
The IIITH researchers said the leakage of credentials on mobile devices happens because PMs on modern mobile operating systems work differently than they do on computers. Currently an estimated 92.3% of internet users access the internet via mobile devices, enhancing the vulnerability of those using PMs.
Citing an example, Prof Gangwal said: “Let’s say you are trying to log into your favourite music app on your mobile device and use the option of ‘login via Google or Facebook’, the music app will open Google or Facebook login page inside itself via WebView. When the PM is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the music app (base app).”
He said this leak could have “humongous” ramifications if the base app is malicious. “Even without phishing, any malicious app that asks you to login via another site, like Google or Facebook, can automatically get access to sensitive information,” he explained.
Their paper ‘AutoSpill: Credential Leakage from Mobile Password Managers’ has already won the best paper award at the ACM Conference on Data and Application Security and Privacy (CODASPY) 2023 and the trio will now be presenting their findings at the prestigious information security event BlackHat Europe 2023 in December.
The IIITH team also tested their AutoSpill attack in the real world by using some top ranked PMs on three types of devices with recent Android versions only to find that most of the PMs were susceptible to credential leakages even with the JavaScript injection disabled.
When the JavaScript injection was enabled, all the PMs in the experiment were vulnerable to an AutoSpill attack.
The team also tried to investigate the reasons behind AutoSpill by going into the data processing and information exchange between a PM and an Android system and found that as both, Android and PM, handle an autofill request with slightly different objectives such as security and usability they eventually become incompatible from point of view of the amount of information flowing between them.
The team has also brought these vulnerabilities to the attention of Google as well as the password managers, who acknowledged the security breach, said Prof Gangwal, pointing out that a close-knit coordination between the PM and OS is needed to remove the vulnerability.
The team is now looking at the possibility of a reverse AutoSpill attack where one can extract important credentials from the hosting app to the hosted webpage.
“If you are autofilling into a social media app on your phone, there could be a malicious web page hidden in the background, say for instance an advertisement banner that could be extracting your sensitive information towards itself,” he explained.
A team of researchers from Indian Institute of Information Technology at Hyderabad (IIITH) has found a serious vulnerability in the autofill function of Android-based apps as it accidentally leaks login credentials to apps hosting the web pages, exposing the user to potential malicious attacks.
The researchers, led by IIITH Prof Ankit Gangwal and MTech students Shubham Singh and Abhijeet Srivastava, who have rechristened this flaw as AutoSpill, found that when you try to log into an app on an Android Operating System (OS), the OS itself generates an auto filling request to the PM by acting as an intermediary between the apps.
“Every time an app loads a login page in WebView, and an autofill request is generated from that WebView, the PMs and the mobile OS get disoriented about the target page for filling in the login credentials. While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information,” said Prof Gangwal.
The IIITH researchers said the leakage of credentials on mobile devices happens because PMs on modern mobile operating systems work differently than they do on computers. Currently an estimated 92.3% of internet users access the internet via mobile devices, enhancing the vulnerability of those using PMs.
Citing an example, Prof Gangwal said: “Let’s say you are trying to log into your favourite music app on your mobile device and use the option of ‘login via Google or Facebook’, the music app will open Google or Facebook login page inside itself via WebView. When the PM is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the music app (base app).”
He said this leak could have “humongous” ramifications if the base app is malicious. “Even without phishing, any malicious app that asks you to login via another site, like Google or Facebook, can automatically get access to sensitive information,” he explained.
Their paper ‘AutoSpill: Credential Leakage from Mobile Password Managers’ has already won the best paper award at the ACM Conference on Data and Application Security and Privacy (CODASPY) 2023 and the trio will now be presenting their findings at the prestigious information security event BlackHat Europe 2023 in December.
The IIITH team also tested their AutoSpill attack in the real world by using some top ranked PMs on three types of devices with recent Android versions only to find that most of the PMs were susceptible to credential leakages even with the JavaScript injection disabled.
When the JavaScript injection was enabled, all the PMs in the experiment were vulnerable to an AutoSpill attack.
The team also tried to investigate the reasons behind AutoSpill by going into the data processing and information exchange between a PM and an Android system and found that as both, Android and PM, handle an autofill request with slightly different objectives such as security and usability they eventually become incompatible from point of view of the amount of information flowing between them.
The team has also brought these vulnerabilities to the attention of Google as well as the password managers, who acknowledged the security breach, said Prof Gangwal, pointing out that a close-knit coordination between the PM and OS is needed to remove the vulnerability.
The team is now looking at the possibility of a reverse AutoSpill attack where one can extract important credentials from the hosting app to the hosted webpage.
“If you are autofilling into a social media app on your phone, there could be a malicious web page hidden in the background, say for instance an advertisement banner that could be extracting your sensitive information towards itself,” he explained.
