In recent years the use of password managers has grown exponentially, a way to avoid having to remember the access credentials to our favorite services, basically because the password manager passwords It already helps us in this regard.
What seemed like completely safe applications are not, and yet they have found a flaw in the Web View autocomplete mechanism used by many applications. Android.
It was discovered by researchers at the Indian Institute of Technology in Hyderabad who named the flaw AutoSpillwhich automatically exposes the credentials of password managers and the use of security measures for autofill functionality on Android.
The report notes that password managers can become disoriented when they have to automatically fill in credentials within applications that load web pages using Google’s Web View engine.
They give as an example applications that allow you to log in through your Facebook or Google account to facilitate the process.
The bug means that when the password manager is asked to complete the credentials, it normally automatically completes them in the correct fields of the interface, however, will sometimes expose credentials to the base app.
There is a risk that malicious applications posing as legitimate applications could take over these user credentials.
The researchers tested most of the well-known mobile password managers and found that almost all of them were vulnerable to credential leaks, despite disabling JavaScript injection.
By enabling JavaScript injection, all mobile managers tested became susceptible to this bug.
Google already knows about this vulnerability and is working on it.
