PhilippC
PhilippC
I have today received the paper by the authors publishing this attack and will investigate it.
The paper does not provide enough information IMO. I asked the authors for their apk (in source code or binary) to demonstrate the issue, but haven't received it for 2...
I have requested the paper on https://www.researchgate.net/publication/370223676_AutoSpill_Credential_Leakage_from_Mobile_Password_Managers. I'm sure they will share with you as well. And maybe it helps if you ask for the testing app as well?
@strauss115 thanks a lot for sharing that testing tool! I installed it and it does show that it is possible that KP2A will fill the username field of the host...
I still don't know how to reproduce. @CiaoAnkit, you are the author of that paper, can you please comment here to help us reproduce the vulnerability you reported?
thanks for getting back @CiaoAnkit! I guess that is the paper you shared on Research Gate, right? I wasn't able to reproduce it from there, but maybe the demo video...
unfortunately the video did not help me to reproduce the issue. Unless there is an app demonstrating the exploit, I don't know how to continue here.
which storage type are you using?
if you see the error in the app, does it mean the database file is corrupted (e.g. you can not load it from other tools like KeePass2 on the PC)?...
do you have any special timezone/calendar settings on your phone? I cannot reproduce this (I'm in German timezone UTC+1 as well).