Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Can disclose user sensitive information, Android vulnerability AutoSpill exposure: a number of password manager applications are affected

2024-03-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Share

Shulou(Shulou.com)12/24 Report--

CTOnews.com, December 8 (Xinhua)-- Security experts from cyber security company IIIT Hyderabad recently attended a Black Hat Europe conference and revealed a loophole in Android's autofill feature that could accidentally reveal users' passwords.

Experts named the vulnerability "AutoSpill" and found that it could bypass Android's security auto-filling mechanism and expose sensitive information such as stored passwords.

After the Android app loads the login page in WebView, the password manager cannot pinpoint which box the user needs to enter login information in, thus exposing the native fields in the underlying application.

Researcher Ankit Gangwal explained that an attacker could exploit the vulnerability by legally logging in through a Google or Facebook account in an application and still steal the user's account information.

The team tested mainstream password managers, including 1Password, LastPass, Keeper, and Enpass, and found that the vulnerability existed even with JavaScript injection disabled.

Pedro Canahuati, 1Password's chief technology officer, told TechCrunch that the company had identified and was working to repair AutoSpill. Canahuati says:

While the fix will further enhance our security posture, 1Password's auto-fill feature is designed to require users to take clear action. This update provides additional protection by preventing native fields from being populated with credentials that apply only to Android's WebView.

Craig Lurey, Keeper's chief technology officer, said in a speech shared with TechCrunch that the company had been notified of potential vulnerabilities but did not say whether any fixes had been made.

The detailed paper address of the vulnerability is attached to CTOnews.com, which can be read deeply by interested users.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

IT Information

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report