We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. This issue is related to how password managers leverage the autofill APIs when interacting with WebViews. What Google said A Google spokesperson told Bleeping Computer, "WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps. As a result, they did not leak sensitive data to the host app unless JavaScript injection was specifically used. However, two password managers, Google Smart Lock 13.30.8.26 and DashLane 6.2221.3, utilize a different technical approach for autofilling. * Keepass2Android 1.09c-r0 Password managers that did not leak data These vulnerabilities stemmed from their reliance on Android's native autofill framework. They found that the following apps were vulnerable: * 1Password 7.9.4 * LastPass 5. Password managers that 'failed' The IIIT researchers claimed to have tested AutoSpill in several popular password managers on Android 10, 11, and 12.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |