Some popular mobile password managers accidentally spill user credentials due to a vulnerability in the autofill feature of Android apps.
The vulnerability, called “AutoSpill,” can expose stored user credentials from mobile password managers, bypassing Android’s secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented the research them at Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a WebView login page, password managers can become “disoriented” about where to target the user’s login credentials and instead expose their credentials to the underlying application. native fields, they said. This is because WebView, the pre-installed engine from Google, allows developers to display web content in-app without launching a web browser and an autocomplete request is generated.
“Let’s say you’re trying to sign in to your favorite music app on your mobile device and you use the ‘sign in with Google or Facebook’ option. The music app will open a Google or Facebook sign-in page within itself through WebView,” Gangwal explained to TechCrunch ahead of Black Hat’s presentation on Wednesday.
“When the password manager is called upon to autofill credentials, ideally, it should autofill only on the loaded Google or Facebook page. However, we found that the autofill feature could accidentally expose credentials to the core application.”
Gangwal notes that the implications of this vulnerability, particularly in a scenario where the underlying application is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to sign in through another website, such as Google or Facebook, can automatically access sensitive information.”
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most apps were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were vulnerable to the AutoSpill vulnerability.
Gangwal says he notified Google and affected password managers about the flaw.
1Password CTO Pedro Canahuati told TechCrunch that the company has identified and is working on a fix for AutoSpill. “While the fix will further strengthen our security posture, 1Password’s autofill feature is designed to require the user to take explicit action,” said Canahuati. “The update will provide additional protection by preventing native fields from being populated with Android WebView-only credentials.”
Guardian CTO Craig Lurey said in remarks shared with TechCrunch that the company was notified of a potential vulnerability, but did not say whether it had made fixes. “We requested a video from the researcher to demonstrate the reported problem. Based on our analysis, we determined that the researcher had first installed a malicious application and then accepted a prompt from Keeper to force the association of the malicious application with a Keeper password record,” Lurey said.
Keeper said it “protects users from auto-filling credentials on an untrusted app or website that was not explicitly authorized by the user” and recommended that the researcher submit their report to Google “as it specifically relates to the Android platform.” “
Google and Enpass did not respond to TechCrunch’s questions. Alex Cox, manager of LastPass’ threat intelligence, mitigation and escalation team, told TechCrunch that before learning of the researchers’ findings, LastPass already had a mitigation in place via an in-product pop-up warning when the app detected they were trying to exploit the exploit . “After analyzing the findings, we added more informative wording to the pop-up,” Cox said.
Gangwal tells TechCrunch that researchers are now investigating the possibility that an attacker could extract credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
Updated with comment from LastPass.
