Security Alert: Data Leak Reported in Top Android Password Manager
Austin JayPassword managers have become increasingly common as an easy way to keep all your logins organized and protected. While these apps simplify it with so many accounts to sign into, they aren't perfect.
Some researchers from IIIT Hyderabad showed a new threat at a tech event last year called "AutoSpill" that can swipe passwords straight from your manager.
This discovery proves that users must be more cautious when using these apps.
The researchers came across something that might breach security - many Android apps were using a thing called WebView controls to put web pages right in their interfaces. They usually do this to take people to links or login spots.
Most top password managers on Android use this method to automatically fill in usernames and codes when visiting login pages for places like Apple, Facebook, or Google.
But "AutoSpill" found a way to mess with this and steal stuff. "AutoSpill" exploits the mechanism, breaching Android's secure autofill process to steal data.
The study showed holes in major Android password savers, with them still able to be gotten to by "AutoSpill" even if JavaScript stuff wasn't added and able to be brought to when that JavaScript stuff was put in.
According to another source, when logging into websites on the phone, the password protector could accidentally put your login credentials in the wrong place instead of the website. If that happens, the app can see those names and codes without going to the website's login page.
This isn't the app tricking you with fake pages, but showing the names and codes from actual pages people use. They tried this with different password protectors on Android phones, including Google Smart Lock and other ones like 1Password, Dashlane, Enpass, LastPass, Keepass2Android, and Keeper.
Also Read: AI Security Pact: US, UK, And Other Countries Sign 'Secure By Design' Agreement
Password managers like 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all found to have a problem where JavaScript could get in.
DashLane and Google Smart Lock were also found to be unsafe if the JavaScript thing was turned on.
No one has yet shown this being used to steal actual passwords, but the researchers said it was a big deal. They said apps pretending to be something else could take passwords without using bad code and maybe get into the app stores.
The companies making the password managers said this was not good. Keeper, LastPass, and Enpass fixed it in different ways. The top guy at Keeper said Keeper asks you when filling passwords into an Android app or website.
LastPass already had a pop-up to warn you about this and changed what it said after looking more.
Google told password managers to be careful with the autofill things in WebViews, with tips to make them safer. Enpass quickly fixed the problem in version 6.8.3 after the researchers let them know.
The people making Keepass2Android haven't said what they think about this issue yet, so they must still be looking into how it impacts their passwords.
Related Article: Apple's 'NameDrop': Convenient Contact Swapping Or Security Concern?
most read
related stories
more stories from News
Google teases a new AI camera feature ahead of I/O 2024, offering real-time contextual recognition and voice interaction on Pixel devices. Discover how this innovative technology enhances your mobile experience.
ernest hamiltonDiscover the latest insights into Apple's highly anticipated iPhone 16 Pro, from its innovative display and camera advancements to powerful performance and software integration. Stay informed as anticipation builds for the official unveiling.
ernest hamiltonDiscover how a groundbreaking breakthrough in phononics is poised to revolutionize wireless technology, making devices smaller and more efficient. Explore the potential of giant phononic nonlinearities and their implications for consumer electronics. Dive into the future of connectivity today!
ernest hamiltonExplore the potential impact of Apple's collaboration with OpenAI on iOS 18. From enhanced messaging to smarter voice assistants, dive into the future of AI-powered experiences. Stay informed—read on
ernest hamiltonDiscover innovative post ideas and expert tips to engage your audience and drive sales. Read now and make this Mother's Day unforgettable!
ernest hamiltonUnveiling OnePlus' controversial move! Are they really sneaking unwanted apps onto their latest flagship phones? Read now for all the details about this bloatware!"
ernest hamiltonDiscover the ultimate arsenal of digital tools for modern moms! Explore this curated list of 10 essential smartphone apps designed to simplify parenting tasks, organizing schedules, tracking developmental milestones and discovering family-friendly activities.
ernest hamiltonDiscover the latest Google Pixel update! Get the scoop on security, stability, and build numbers. Don't miss out, read now to know how you can elevate your Pixel experience.
ernest hamilton