A number of popular mobile password managers unintentionally leak user credentials due to a vulnerability in the autofill function of Android apps.
The vulnerability, dubbed ‘AutoSpill’, could expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented their research in Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh, and Abhijit Srivastava, found that when an Android app loads a login page in WebView, Google’s pre-installed engine that allows developers to display web content within the app without launching a web browser, autofill is generated and the request is generated, they said. , and password managers can get “confused” about where they should target a user’s login information and instead expose their credentials to the native fields of the underlying application.
“Let’s say you’re trying to sign in to your favorite music app on your mobile device, and you use the ‘Sign in with Google or Facebook’ option. The music app will open a Google or Facebook login page within itself via a WebView,” Gangwal explained to TechCrunch ahead of the private presentation. At Black Hat on Wednesday.
“When a password manager is called to autofill credentials, it’s best to autofill only the loaded Google or Facebook page. But we’ve found that the autofill process can expose credentials to the underlying application in error.
Gangwall points out that the ramifications of this vulnerability, especially in a scenario where the underlying application is malicious, are significant. “Even without phishing, any malicious app that asks you to log in via another site, such as Google or Facebook, can automatically access sensitive information,” he added.
Researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most applications were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were vulnerable to their AutoSpill vulnerability.
Gangwal says it has alerted Google and affected password managers to the flaw.
Pedro Canahuate, chief technology officer at 1Password, told TechCrunch that the company has identified and is working on a fix for AutoSpill. “Although the fix will strengthen our security posture, 1Password’s autofill functionality is designed to require the user to take an explicit action,” Canahwati said. “The update will provide additional protection by preventing native fields from being filled with credentials intended only for Android WebView.”
Keeper CTO Craig Lurey said in remarks shared with TechCrunch that the company had been notified of the potential vulnerability, but he did not say whether it had made any fixes. “We requested a video from the researcher to illustrate the reported issue. Based on our analysis, we determined that the researcher first installed a malicious application and then accepted a prompt from Keeper to force link the malicious application to Keeper’s password history,” Lowry said.
Keeper said it has “safeguards in place to protect users from automatically filling credentials into an untrusted app or site not explicitly authorized by the user,” and recommended that the researcher submit his report to Google “since it specifically relates to the Android platform.”
Google and Enpass did not respond to TechCrunch’s questions. LastPass spokeswoman Elizabeth Bassler had not commented at press time.
Gangwal told TechCrunch that researchers are now exploring the possibility of an attacker exfiltrating credentials from the app into a WebView. The team is also investigating whether the vulnerability could be replicated on iOS.