this post was submitted on 13 Dec 2023
0 points (50.0% liked)

Security

5005 readers
1 users here now

Confidentiality Integrity Availability

founded 4 years ago
MODERATORS
top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 11 months ago

This is the best summary I could come up with:


This post wouldn't have been possible without invaluable assistance from Alesandro Ortiz, a researcher who discovered a similar vulnerability in Chrome in 2020.

A: While much of the press coverage of AutoSpill has described it as an attack, it’s more helpful to view it as a set of unsafe behaviors that occur inside the Android operating system when a credential stored in a password manager is autofilled into an app installed on the device.

AutoSpill was identified by researchers Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava of the International Institute of Information Technology at Hyderabad in India.

Another way a malicious app might exploit AutoSpill is by injecting JavaScript into the WebView content that copies the credentials and sends them to the attacker.

What hasn’t been clear from some of the coverage of AutoSpill is that it poses a threat only in these limited scenarios, and even then, it exposes only a single login credential, specifically the one being autofilled.

AutoSpill doesn’t pose a threat when a password manager autofills a password for an account managed by the developer or service responsible for the third-party app—for instance, when autofilling Gmail credentials into Google's official Gmail app, or Facebook credentials into Facebook's official Android app.


The original article contains 725 words, the summary contains 204 words. Saved 72%. I'm a bot and I'm open source!