Hyderabad: International Institute of Information Technology-Hyderabad researchers have won an award for discovering that the ‘autofill’ functionality in Android-based apps accidentally leaked login credentials to some apps hosting the webpage.
The paper by Prof. Ankit Gangwal and his MTech students Shubham Singh and Abhijeet Srivastava, 'AutoSpill: Credential Leakage from Mobile Password Managers,' recently won the best paper award at the ACM Conference on Data And Application Security and Privacy (Codaspy) 2023.
When a user tries to log into an app on the Android operating system (OS), the OS generates an autofill request to the password manager (PM).
According to a statement from the university, the team found that every time an app loads a login page in WebView, and an autofill request is generated from that WebView, the PMs and the mobile OS get disoriented about the target page for filling in the login credentials. While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information.
Prof. Gangwal explained with the help of an example, “If one tries to log into a music app on a mobile device, and uses the option of “login via Google or Facebook,” the music app will open Google or Facebook login page inside itself (i.e., within the music app) via WebView. When the PM is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app."
The ramifications in a scenario where the base app is a malicious one are humongous. “Even without phishing, any malicious app that asks you to login via another site, like Google or Facebook, can automatically get access to sensitive information,” emphasised the professor.
"We brought this to the notice of Google as well as the password managers, who then acknowledged the security breach,” Prof. Gangwal said in a statement, adding that it’s a problem that requires a close-knit coordination between both the PM as well as the OS.
The researchers are exploring the possibility of a reverse AutoSpill attack. It refers to a scenario where one can extract important credentials from the hosting app to the hosted webpage.
The Big Leak:
If a user tries to log into a music app on a mobile device, and uses the option of “login via Google or Facebook,” the music app will open Google or Facebook login page inside itself (i.e., within the music app) via WebView.
When the Password Manager is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded.
IITT-H researchers found that the autofill operation could accidentally expose the credentials to the base app, which in this case is the music app.
The ramifications in a scenario where the base app is a malicious one are frightening.
IIIT-H alerted Google which acknowledged the security breach.
