How worried should we be about “AutoSpill” confirmed leak in Android password manager?

[ad_1]

Multiply it / Close up of the hand holding the mobile phone and the application installation to open the mobile phones. Concept of security technology.

Getty Images

By now, you’ve probably heard about a problem called AutoSpill, which can potentially leak from any of the seven Android drivers. The threat posed is real, but it’s also more limited and easier to contain than most ads come up with. now known.

This FAQ delves into the many nuances that make AutoSpill difficult for most people (including yours truly) to understand. This post would not have been possible without your valuable help Alessandro Ortiza researcher found a similar problem in Chrome in 2020.

Q: What is AutoSpill?

A: While most of the AutoSpill media has been described as an attack, it is more helpful to see a set of unsafe behaviors that occur in the Android operating system when automatically filling out a stored information. in a password manager in an app installed on the. machine. This insecure behavior shows the credentials that are filled in the app of the third party, which can be applied to any type of app if the credentials are accepted for installing the user in an account.

Password managers affected in one way or another include Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper. Other keywords may also be affected since the researchers who identified AutoSpill limited their queries to these seven titles.

AutoSpill was introduced by researchers Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava of the International Institute of Information Technology in Hyderabad in India. They presented their findings last week at the Black Hat security conference in London.

Q: If a third party allows or requires a user to log into an account, why bother entering the password from a password manager?

A: It’s just a problem with some displays. One is when a third party can allow users to log into one account using credentials for another account. For example, hundreds of applications and sites use a standard OAuth it offers users the convenience of signing into their accounts by using their account credentials on sites like Google, Facebook, or Apple. The biggest selling point of these settings, known as the provision of access, is that the third party app or service cannot see the credentials. AutoSpill has the ability to violate this basic guarantee.

Another way a malicious app can use AutoSpill is to inject content into the WebView from a bank’s site or other existing service. a user account. When the malicious app loads the login page of the trusted site, the user will be forced to choose credentials. If the user allows fast loading, the credentials will be loaded not only in the WebView part of the object but also in the preview. app routine (more about the difference between WebView and field views in a moment). And depending on the password manager in use, this leak can happen without warning.

It’s hard to imagine a real fake that a malicious app could use to trick a user into signing into an unmanaged third-party account. by the developer, and not offered by AutoSpill developers. One possibility might be a bad version of an app that transfers playlists from one music service to another. Appropriate use, eg FreeYourMusic or Soundiz, provides an important service by searching for a list stored in the account of one service, such as Apple Music, and then creating a similar list for an account on another service, e like Tidal. To work as intended, these programs require confirmation of both information.

Another way a malicious object can use AutoSpill is to inject JavaScript into the WebView object that copies the credentials and sends them to the attacker. These types of attacks have been known for a long time and work in more ways than what AutoSpill showed.

What is not clear from some of the announcements of AutoSpill is that it shows a threat only in these limited examples, and even then, it shows only one confirmation of the signature, especially the what is being filled. AutoSpill is not a threat if the password manager fills in a password for an account managed by a developer or third-party service provider. -for example, when entering Gmail information in Google’s Gmail app, or Facebook information in the official Facebook office. Android app.

Leave a Comment