[month] [year]

Best paper award at CODASPY-2023

Research work by Dr. Ankit Gangwal and his M.Tech students Shubham Singh and Abhijeet Srivastava  on AutoSpill: Credential Leakage from Mobile Password Managers won the best paper award at CODASPY 2023 and was also presented at BLACKHAT EU 2023. Here is the summary of the research work as explained by the authors:

Password managers (PMs) are becoming increasingly popular on mobile devices, especially on small-screen devices, mainly due to the convenience of automatically filling credentials into login forms. Modern mobile OSes advocate for system-wide autofill frameworks to support autofilling on browsers as well as other apps. Mobile OSes also empower apps to directly render web content within WebView controls without redirecting users to the main browser. \par We present a novel technique, called AutoSpill, to leak users’ saved credentials during an autofill operation on a webpage loaded into an app’s WebView. AutoSpill conveniently dodges the secure autofill process. The majority of popular Android PMs considered in our experiments were found vulnerable to AutoSpill; even when the app hosting the WebView is not actively participating in the leak. Android intermediates in the autofill process because of its app sandboxing. Hence, the responsibility for any credential leakage is often stranded between PMs and the Android system. We investigate the root causes of AutoSpill and propose countermeasures to fundamentally fix AutoSpill for both the parties. We responsibly disclosed our findings to the affected PMs and Android security team.

Full paper: https://dl.acm.org/doi/10.1145/3577923.3583658

This work has  received considerable media coverage and is all over the internet. Here are links to some of the major news coverages: https://ciaoankit.github.io/media.html and https://www.iiit.ac.in/news/auto-spill/

 

December 2023