Close Menu
UK Daily: Tech, Science, Business & Lifestyle News UpdatesUK Daily: Tech, Science, Business & Lifestyle News Updates
    What's Hot

    Bitget Bolsters Stock+ Platform With U.S. Stock Options Trading

    July 4, 2026

    Eastbourne: Trains delayed after vehicle hits level crossing

    July 4, 2026

    NASA’s Hubble Captures Crimson Cloud Sparkling with White, Blue Stars

    July 4, 2026
    Facebook X (Twitter) Instagram
    Trending
    • Bitget Bolsters Stock+ Platform With U.S. Stock Options Trading
    • Eastbourne: Trains delayed after vehicle hits level crossing
    • NASA’s Hubble Captures Crimson Cloud Sparkling with White, Blue Stars
    • Jason Heigl Foundation Approves $425,000 to Fund 6,000+ Free Spay/Neuter Surgeries
    • Do Investors Care How Old Startup Founders Are?
    • Gillingham sign former Rochdale and Charlton Athletic goalkeeper Lennon MacLorg
    • The only AI glossary you’ll need this year
    • Nottingham Forest owner Marinakis announces £210m stadium plans
    • London
    • Kent
    • Glasgow
    • Cardiff
    • Belfast
    Facebook X (Twitter) Instagram YouTube
    UK Daily: Tech, Science, Business & Lifestyle News UpdatesUK Daily: Tech, Science, Business & Lifestyle News Updates
    Subscribe
    Saturday, July 4
    • Home
    • News
      1. Kent
      2. London
      3. Belfast
      4. Birmingham
      5. Cardiff
      6. Edinburgh
      7. Glasgow
      8. Liverpool
      9. Manchester
      10. Newcastle
      11. Nottingham
      12. Sheffield
      13. West Yorkshire
      Featured

      ‘Miniature’ mountain creature with ‘squeaker’-like call discovered as new species

      Science November 9, 2023
      Recent

      Bitget Bolsters Stock+ Platform With U.S. Stock Options Trading

      July 4, 2026

      Eastbourne: Trains delayed after vehicle hits level crossing

      July 4, 2026

      NASA’s Hubble Captures Crimson Cloud Sparkling with White, Blue Stars

      July 4, 2026
    • Lifestyle
      1. Celebrity
      2. Fashion
      3. Food
      4. Leisure
      5. Social Good
      6. Trending
      7. Wellness
      8. Event
      Featured

      Are Ice Spice & Tobey Maguire Dating? Why Fans Thought They Were Kissing

      Celebrity July 3, 2026
      Recent

      Are Ice Spice & Tobey Maguire Dating? Why Fans Thought They Were Kissing

      July 3, 2026

      Tobey Maguire Ex-Wife & Girlfriends: Inside the ‘Spider-Man’ Star’s Dating History

      July 3, 2026

      Are Ice Spice & Tobey Maguire Dating? What to Know About Their Kiss

      July 3, 2026
    • Science
    • Business
    • Sports

      Gillingham sign former Rochdale and Charlton Athletic goalkeeper Lennon MacLorg

      July 3, 2026

      Lee Martin at Whitstable Town and Steve Watt at Faversham Town handed home starts

      July 3, 2026

      Deal Town and Herne Bay handed home ties

      July 3, 2026

      Newboys Minster handed a home tie, Lordswood to face Corinthian

      July 3, 2026

      Goalkeeper Ollie Wright signs a three-year deal with Southampton before completing a season-long loan move to League Two Gillingham

      July 3, 2026
    • Politics
    • Tech
    • Property
    • Press Release
    UK Daily: Tech, Science, Business & Lifestyle News UpdatesUK Daily: Tech, Science, Business & Lifestyle News Updates
    Home » Your mobile password manager might be exposing your credentials

    Your mobile password manager might be exposing your credentials

    bibhutiBy bibhutiDecember 6, 2023 Tech No Comments3 Mins Read
    Facebook Twitter LinkedIn WhatsApp Telegram
    Share
    Facebook Twitter LinkedIn Telegram WhatsApp


    A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps.

    The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.

    The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, the pre-installed engine from Google that lets developers display web content in-app without launching a web browser, and an autofill request is generated, password managers can get “disoriented” about where they should target the user’s login information and instead expose their credentials to the underlying app’s native fields, they said.

    “Let’s say you are trying to log into your favorite music app on your mobile device, and you use the option of ‘login via Google or Facebook.’ The music app will open a Google or Facebook login page inside itself via the WebView,” Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday.

    “When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app.”

    Gangwall notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information.”

    The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability.

    Gangwal says he alerted Google and the affected password managers to the flaw.

    1Password chief technology officer Pedro Canahuati told TechCrunch that the company has identified and is working on a fix for AutoSpill. “While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action,” said Canahuati. “The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.”

    Keeper CTO Craig Lurey said in remarks shared with TechCrunch that the company was notified about a potential vulnerability, but did not say if it had made any fixes. “We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record,” said Lurey.

    Keeper said it “safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user,” and recommended that the researcher submit his report to Google “since it is specifically related to the Android platform.”

    Google and Enpass did not respond to TechCrunch’s questions. LastPass spokesperson Elizabeth Bassler did not comment by press time.

    Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.



    Source link

    Featured Just In Top News
    Share. Facebook Twitter LinkedIn Email
    Previous ArticleThe International Franchise Show 2024
    Next Article Gwen Stefani’s Favorite Lipstick – Hollywood Life
    bibhuti
    • Website

    Keep Reading

    Eastbourne: Trains delayed after vehicle hits level crossing

    NASA’s Hubble Captures Crimson Cloud Sparkling with White, Blue Stars

    Gillingham sign former Rochdale and Charlton Athletic goalkeeper Lennon MacLorg

    The only AI glossary you’ll need this year

    Nottingham Forest owner Marinakis announces £210m stadium plans

    Beloved Broadway musical Hairspray announces five-night run at Glasgow theatre

    Add A Comment
    Leave A Reply Cancel Reply

    Editors Picks

    89th Utkala Dibasa Celebration Brings Odisha’s Vibrant Culture to London

    April 8, 2024

    US and EU pledge to foster connections to enhance research on AI safety and risk.

    April 5, 2024

    Holi Celebrations Across Various Locations in Kent Attract a Diverse Range of Community Participation

    March 25, 2024

    Plans for new Bromley tower blocks up to 14-storeys tall refused

    December 4, 2023
    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement

    Recent Posts

    • Bitget Bolsters Stock+ Platform With U.S. Stock Options Trading
    • Eastbourne: Trains delayed after vehicle hits level crossing
    • NASA’s Hubble Captures Crimson Cloud Sparkling with White, Blue Stars
    • Jason Heigl Foundation Approves $425,000 to Fund 6,000+ Free Spay/Neuter Surgeries
    • Do Investors Care How Old Startup Founders Are?

    Recent Comments

    1. Register on Anycubic users say their 3D printers were hacked to warn of a security flaw
    2. Pembuatan Akun Binance on Braiins Becomes First Mining Pool To Introduce Lightning Payouts
    3. tadalafil tablets sale on The market is forcing cloud vendors to relax data egress fees
    4. cerebrozen reviews on Kent director of cricket Simon Cook adapting to his new role during the close season
    5. Glycogen Review on The little-known town just 5 miles from Kent border with stunning beaches and only 600 residents
    The News Times Logo
    Facebook X (Twitter) Pinterest Vimeo WhatsApp TikTok Instagram

    News

    • UK News
    • US Politics
    • EU Politics
    • Business
    • Opinions
    • Connections
    • Science

    Company

    • Information
    • Advertising
    • Classified Ads
    • Contact Info
    • Do Not Sell Data
    • GDPR Policy
    • Media Kits

    Services

    • Subscriptions
    • Customer Support
    • Bulk Packages
    • Newsletters
    • Sponsored News
    • Work With Us

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    © 2026 The News Times. Designed by The News Times.
    • Privacy Policy
    • Terms
    • Accessibility

    Type above and press Enter to search. Press Esc to cancel.

    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    • Manage options
    • Manage services
    • Manage {vendor_count} vendors
    • Read more about these purposes
    View preferences
    • {title}
    • {title}
    • {title}