Media is too big
VIEW IN TELEGRAM
AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers
We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With #JavaScriptInjections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.
By: Ankit Gangwal , Shubham Singh , Abhijeet Srivastava
Full Abstract and Presentation Materials
#Android #Vulnerabilities #PasswordManager #AutoSpill
We will present a novel attack - that we call AutoSpill - to steal users' saved credentials from PMs during an autofill operation on a login page loaded inside an app. AutoSpill violates Android's secure autofill process. We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With #JavaScriptInjections enabled, all of them were found vulnerable. We discovered the fundamental reasons for AutoSpill and will propose systematic countermeasures to fix AutoSpill properly. We responsibly disclosed our findings to the affected PMs and Android security team. Different PMs and Google accepted our work as a valid issue.
By: Ankit Gangwal , Shubham Singh , Abhijeet Srivastava
Full Abstract and Presentation Materials
#Android #Vulnerabilities #PasswordManager #AutoSpill