Security Alert: Data Leak Reported in Top Android Password Manager
Austin JayPassword managers have become increasingly common as an easy way to keep all your logins organized and protected. While these apps simplify it with so many accounts to sign into, they aren't perfect.
Some researchers from IIIT Hyderabad showed a new threat at a tech event last year called "AutoSpill" that can swipe passwords straight from your manager.
This discovery proves that users must be more cautious when using these apps.
The researchers came across something that might breach security - many Android apps were using a thing called WebView controls to put web pages right in their interfaces. They usually do this to take people to links or login spots.
Most top password managers on Android use this method to automatically fill in usernames and codes when visiting login pages for places like Apple, Facebook, or Google.
But "AutoSpill" found a way to mess with this and steal stuff. "AutoSpill" exploits the mechanism, breaching Android's secure autofill process to steal data.
The study showed holes in major Android password savers, with them still able to be gotten to by "AutoSpill" even if JavaScript stuff wasn't added and able to be brought to when that JavaScript stuff was put in.
According to another source, when logging into websites on the phone, the password protector could accidentally put your login credentials in the wrong place instead of the website. If that happens, the app can see those names and codes without going to the website's login page.
This isn't the app tricking you with fake pages, but showing the names and codes from actual pages people use. They tried this with different password protectors on Android phones, including Google Smart Lock and other ones like 1Password, Dashlane, Enpass, LastPass, Keepass2Android, and Keeper.
Also Read: AI Security Pact: US, UK, And Other Countries Sign 'Secure By Design' Agreement
Password managers like 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all found to have a problem where JavaScript could get in.
DashLane and Google Smart Lock were also found to be unsafe if the JavaScript thing was turned on.
No one has yet shown this being used to steal actual passwords, but the researchers said it was a big deal. They said apps pretending to be something else could take passwords without using bad code and maybe get into the app stores.
The companies making the password managers said this was not good. Keeper, LastPass, and Enpass fixed it in different ways. The top guy at Keeper said Keeper asks you when filling passwords into an Android app or website.
LastPass already had a pop-up to warn you about this and changed what it said after looking more.
Google told password managers to be careful with the autofill things in WebViews, with tips to make them safer. Enpass quickly fixed the problem in version 6.8.3 after the researchers let them know.
The people making Keepass2Android haven't said what they think about this issue yet, so they must still be looking into how it impacts their passwords.
Related Article: Apple's 'NameDrop': Convenient Contact Swapping Or Security Concern?
most read
related stories
more stories from News
Discover the key features and security enhancements of Apple's iOS 17.5 update.
ernest hamiltonDiscover top iPhone apps that let you earn real money by playing games, scanning receipts, and staying active.
ernest hamiltonSamsung has reached a remarkable milestone, shipping nearly 3 billion smartphones since 2014. Discover how the tech giant's decade-long dominance and innovative advancements have solidified its leadership in the global smartphone market.
ernest hamiltonLearn about Apple's settlement in the class-action lawsuit over iPhone 7 audio issues, offering up to $349 compensation for eligible users. Dive into the details and implications of this landmark agreement.
ernest hamiltonThousands of Apple users experienced a major iMessage outage on Thursday evening, impacting communication across the U.S., Canada, and the U.K. Downdetector reported over 13,000 disruptions starting at 6 p.m. ET. Stay updated with the latest developments and potential fixes.
ernest hamiltonDelve into the complexities of managing screen time for children as parents navigate between practicality and idealism.
ernest hamiltonDiscover why the Pixel 7a outperforms the new Pixel 8a in this detailed comparison. Learn about the advantages in affordability, color options, and feature parity. Read now to make an informed choice!
ernest hamiltonDiscover the future of smartphone audio with Moondrop's MIAD 01. Explore its dual audio jacks and premium DACs in this in-depth review. Ready to elevate your music experience? Read now!
ernest hamilton