Hyderabad: International Institute of Information Technology-Hyderabad (IITH) researchers have won an award for discovering that the ‘autofill’ functionality in Android-based apps accidentally leaked login credentials to some apps hosting the webpage.
A paper by Prof Ankit Gangwal and his MTech students Shubham Singh and Abhijeet Srivastava read, ‘AutoSpill: Credential Leakage from Mobile Password Managers,’ recently won the best paper award at the ACM Conference on Data And Application Security and Privacy (Codaspy) 2023.
As per the study, when a user tries to log into an app on the Android operating system (OS), the OS generates an autofill request to the password manager (PM).
According to a statement from the university, the team found that every time an app loads a login page in WebView, and an autofill request is generated from that WebView.
Subsequently, the PMs and the mobile OS get disoriented about the target page for filling in the login credentials.
While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information.
Explaining the process, Prof Gangwal exemplified saying, “If one tries to log into a music app on a mobile device, and uses the option of ‘login via Google or Facebook’, the music app will open Google or Facebook login page inside itself (i.e., within the music app) via WebView.
“When the PM is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app,” the professor added.
He further emphasised that even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically get access to sensitive information.
“We brought this to the notice of Google as well as the password managers, who then acknowledged the security breach,” Gangwal said in a statement, adding that the ramifications in a scenario where the base app is a malicious one are frightening.