Security Alert: Data Leak Reported in Top Android Password Manager
Austin JayPassword managers have become increasingly common as an easy way to keep all your logins organized and protected. While these apps simplify it with so many accounts to sign into, they aren't perfect.
Some researchers from IIIT Hyderabad showed a new threat at a tech event last year called "AutoSpill" that can swipe passwords straight from your manager.
This discovery proves that users must be more cautious when using these apps.
The researchers came across something that might breach security - many Android apps were using a thing called WebView controls to put web pages right in their interfaces. They usually do this to take people to links or login spots.
Most top password managers on Android use this method to automatically fill in usernames and codes when visiting login pages for places like Apple, Facebook, or Google.
But "AutoSpill" found a way to mess with this and steal stuff. "AutoSpill" exploits the mechanism, breaching Android's secure autofill process to steal data.
The study showed holes in major Android password savers, with them still able to be gotten to by "AutoSpill" even if JavaScript stuff wasn't added and able to be brought to when that JavaScript stuff was put in.
According to another source, when logging into websites on the phone, the password protector could accidentally put your login credentials in the wrong place instead of the website. If that happens, the app can see those names and codes without going to the website's login page.
This isn't the app tricking you with fake pages, but showing the names and codes from actual pages people use. They tried this with different password protectors on Android phones, including Google Smart Lock and other ones like 1Password, Dashlane, Enpass, LastPass, Keepass2Android, and Keeper.
Also Read: AI Security Pact: US, UK, And Other Countries Sign 'Secure By Design' Agreement
Password managers like 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all found to have a problem where JavaScript could get in.
DashLane and Google Smart Lock were also found to be unsafe if the JavaScript thing was turned on.
No one has yet shown this being used to steal actual passwords, but the researchers said it was a big deal. They said apps pretending to be something else could take passwords without using bad code and maybe get into the app stores.
The companies making the password managers said this was not good. Keeper, LastPass, and Enpass fixed it in different ways. The top guy at Keeper said Keeper asks you when filling passwords into an Android app or website.
LastPass already had a pop-up to warn you about this and changed what it said after looking more.
Google told password managers to be careful with the autofill things in WebViews, with tips to make them safer. Enpass quickly fixed the problem in version 6.8.3 after the researchers let them know.
The people making Keepass2Android haven't said what they think about this issue yet, so they must still be looking into how it impacts their passwords.
Related Article: Apple's 'NameDrop': Convenient Contact Swapping Or Security Concern?
most read
related stories
more stories from News
Walmart CEO emphasizes Walmart app usage in stores amidst a reevaluation of self-checkout systems. Learn more by reading the article!
ernest hamiltonOne UI 6.1.1 reportedly introduces exciting video AI features to Samsung devices. Explore the latest enhancements!
ernest hamiltonTencent is gearing up to launch the 'Dungeon and Fighter' mobile game in May, promising an exciting new gaming experience for fans of the franchise.
ernest hamiltonApple's latest software release confirms iPhone AI plans, unveiling eight small AI language models for on-device use, promising enhanced performance and privacy.
ernest hamiltonHMD introduces budget-friendly phones, all under $200, promising affordability without compromise.
ernest hamiltonExperience the latest Android 15 Beta 1.2! Pixel users, unlock additional bug fixes and enhancements now!
ernest hamiltonCheck out the latest from Glance! They're piloting their Android Lockscreen Platform in the US. Don't miss it!
ernest hamiltonExciting news! X plans to launch a Smart TV app for an immersive entertainment experience. Stay tuned!
ernest hamilton