![]() The researchers found that several popular password managers were vulnerable to this kind of mapping weakness – LastPass, 1Password, Dashlane, and Keeper – with only Google Smart Lock (which isn’t primarily a password manager) able to resist.Įven Google’s recently introduced Instant Apps – designed to be tried without the need for a download – could be abused by a phishing website to trigger a password manager autofill, the team discovered during testing. The flaw is that package names can be spoofed – all the attacker has to do is create a fake app with the correct package name and the password manager will trust it enough to present the correct credentials. The main way password managers tell good apps from bad apps is by associating the website domain for that app with the app package name, a metadata ID checked using static or heuristically-generated associations. However, when somebody uses the website credentials to log in to an app, the process of verifying the app is more complicated and potentially less secure. With desktop browsers, when a site is visited for the first time the password manager creates an association between its domain (verified by its digital certificate) and the credentials used to access it. ![]() The University of Genoa and EUROCOM’s Phishing Attacks on Modern Android study explores the difference between accessing a service through its mobile app and accessing it through its website on a desktop browser. As well as allowing users to maintain scores of strong passwords, password managers can also provide some defence against phishing – their autofill features will enter passwords on sites they’re associated (and their mobile apps), but not on fakes. ![]() Password managers can be used to create, store, enter and autofill passwords into apps and websites. Researchers have discovered that several leading Android-based password managers can be fooled into entering login credentials into fake phishing apps. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |