Saturday, Jul 11, 2026
English News
  • Hyderabad
  • Telangana
  • AP News
  • India
  • World
  • Entertainment
  • Sport
  • Science and Tech
  • Business
  • Rewind
  • ...
    • NRI
    • View Point
    • cartoon
    • My Space
    • Education Today
    • Reviews
    • Property
    • Lifestyle
E-Paper
  • NRI
  • View Point
  • cartoon
  • My Space
  • Reviews
  • Education Today
  • Property
  • Lifestyle
Home | Hyderabad | Android Based Apps Accidently Leaking Login Credentials Iiit Hyderabad Study

Android-based apps accidently leaking login credentials: IIIT Hyderabad study

Here is a word of caution for the Android users who use the autofill facility to log into the apps on smartphones.

By Telangana Today
Published Date - 17 October 2023, 08:06 PM
Android-based apps accidently leaking login credentials: IIIT Hyderabad study
whatsapp facebook twitter telegram

Hyderabad: Here is a word of caution for the Android users who use the autofill facility to log into the apps on smartphones.

The International Institute of Information Technology (IIIT) – Hyderabad researchers have found that the autofill functionality in the Android-based apps were accidently leaking login credentials to the apps hosting the webpages.

Also Read

  • IIIT Hyderabad develops smartphone AI for early oral cancer detection
  • IIIT Hyderabad researchers come up with solution to store humongous CCTV cameras footage

Of late, the usage of password managers have become popular among smartphone users for not just generating a long password for their accounts but also remembering the same for the next login. The password managers have also become popular for its autofill facility of the required credentials in different login forms.

In an experiment with password managers’ autofill functionality on the mobile operating systems, the research team discovered what they termed as the AutoSpill attack.

The researchers lead by Prof. Ankit Gangwal from the Centre for Security, Theory and Algorithmic Research (CSTAR), IIIT-Hyderabad, found that every time an app loads a login page in WebView, an autofill request is generated from that WebView, the password managers and mobile operating system get disoriented about the target page for filling in the login credentials.

While the expected behaviour is to populate the login page in WebView, the app loading the WebView could get access to the sensitive information, they said.

Prof. Gangwal said when a user tries to login to a music app on the mobile device via Google or Facebook, the music app will open Google or Facebook login page inside itself i.e., within the music app via the WebView

“When the password manager is invoked to autofill the credentials, ideally it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app, which in this case is your music app,” Prof. Gangwal explained.

He emphasized that even without phishing, any malicious app that asks login via another site, can automatically get access to sensitive information.

According to researchers MTech students – Shubham Singh and Abhijeet Srivastava, since both Android and password managers handle an autofill request with slightly different objectives (security, usability, etc.), they eventually become incompatible from the perspective of the amount of information flowing from one to another.

The findings, which will be presented at BlackHat Europe 2023 conference in December, concluded that both the Android system and the password managers are equally responsible for the credential AutoSpill.

“We brought this to the notice of Google as well as the password managers, who then have acknowledged the security breach,” the professor said. The researchers are currently exploring the possibility of a reverse AutoSpill attack.

  • Follow Us :
  • Tags
  • Android
  • IIIT-H​yderabad
  • Smartphones

Related News

  • IIIT-Hyderabad student Souvik Ghosh named in Forbes 30 Under 30 Asia 2026

    IIIT-Hyderabad student Souvik Ghosh named in Forbes 30 Under 30 Asia 2026

  • WhatsApp testing new feature: Here’s how to set it up

    WhatsApp testing new feature: Here’s how to set it up

  • Tech layoffs fuel massive surge in AI and GenAI upskilling programs

    Tech layoffs fuel massive surge in AI and GenAI upskilling programs

  • Durability takes centre stage in smartphones as realme 16 5G introduces IP69-level protection

    Durability takes centre stage in smartphones as realme 16 5G introduces IP69-level protection

Latest News

  • India is a launchpad for global growth, PM Modi tells New Zealand CEOs

    5 mins ago
  • MLRIT bags four honours at CSI Annual Excellence Awards 2026

    7 mins ago
  • Telangana CEO directs BLOs to digitise SIR forms promptly

    11 mins ago
  • Rahul, Kharge urge centre to coordinate with Vietnam after tourist boat tragedy

    19 mins ago
  • Harish Rao demands Revanth’s resignation over Shabad multiple murders

    18 mins ago
  • India’s First CMP Pad Technologies Hub set up at T- Works

    23 mins ago
  • Modi’s three-nation tour signals India’s shift towards long-term strategic partnerships

    36 mins ago
  • POCSO accused allegedly kills six, including minor, in Shabad

    36 mins ago

company

  • Home
  • About Us
  • Contact Us
  • Privacy Policy

business

  • Subscribe

telangana today

  • Telangana
  • Hyderabad
  • Latest News
  • Entertainment
  • World
  • Andhra Pradesh
  • Science & Tech
  • Sport

follow us

  • Telangana Today Telangana Today
Telangana Today Telangana Today

© Copyrights 2024 TELANGANA PUBLICATIONS PVT. LTD. All rights reserved. Powered by Veegam