A few of the most popular password managers have been called out by security researchers who uncovered a major vulnerability that impacts the autofill function on devices running Android. This vulnerability enables hackers to bypass the security mechanisms that protect the autofill functionality on Android devices, thereby exposing credentials to the host app calling for them.
What Is The Android AutoSpill Password Manager Vulnerability?
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava from the International Institute of Information Technology Hyderabad, presented their findings on December 6 at the Black Hat Europe hacker conference. The very aptly named AutoSpill vulnerability exists when an Android app calls for a login page using WebView. This Google component, pre-installed by default, enables Android apps to display web content. App developers have their apps show web content in this way, within WebView, so executing a separate web browser isn’t required. Instead, the autofill function kicks in and requests the login credentials in question. So far, so good. Things get a little, well, a lot, less good when these credentials are filled following the invocation of a password manager. What should happen is the credentials are automatically inserted into the login field for the page that is being loaded. Instead, and this is where it becomes very concerning for most Android phone users, those credentials can also be shared with the host app itself. This common scenario, the researchers said, includes examples such as “in-app opening of hyperlinks in Skype or Gmail mobile apps.,” as well as “the Login with Apple/Facebook/Google button for user authentication within a third-party mobile app.
Which Password Managers Are Vulnerable To AutoSpill?
Some of the most popular password managers were found to be vulnerable to an AutoSpill exploit. These included 1Password, LastPass, Enpass, Keeper, and Keepass2Android. When a JavaScript injection method was enabled, DashLane and Google Smart Lock were also susceptible to the credential-stealing attack. Although there is no evidence of AutoSpill being exploited in the wild, the researchers are at pains to point out that the ramifications of AutoSpill are highly dangerous. They say that a malicious app designed to harvest credentials while posing as an innocuous utility would not require any malicious code in the app itself. Which means it could be made available in the official app store. “We responsibly disclosed our findings to the affected password managers and Android security team. Different password managers and Google accepted our work as a valid issue,” the researchers said.
A Google spokesperson told Bleeping Computer that “This issue is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement.”
A spokesperson for Enpass told me that “Ankit Gangwal from the research team at the Indian Institutes of Information Technology reached out to us in June 2022 about the AutoSpill vulnerability in the Android Autofill framework. That vulnerability was subsequently patched in Enpass 6.8.3, released September 29, 2022.“
(credit to Forbes)