A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps.
The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, the pre-installed engine from Google that lets developers display web content in-app without launching a web browser, and an autofill request is generated, password managers can get “disoriented” about where they should target the user’s login information and instead expose their credentials to the underlying app’s native fields, they said.
“Let’s say you are trying to log into your favorite music app on your mobile device, and you use the option of ‘login via Google or Facebook.’ The music app will open a Google or Facebook login page inside itself via the WebView,” Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday.
“When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app.”
Gangwall notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information.”
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability.
Gangwal says he alerted Google and the affected password managers to the flaw.
1Password chief technology officer Pedro Canahuati told TechCrunch that the company has identified and is working on a fix for AutoSpill. “While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action,” said Canahuati. “The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.”
Keeper CTO Craig Lurey said in remarks shared with TechCrunch that the company was notified about a potential vulnerability, but did not say if it had made any fixes. “We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record,” said Lurey.
Keeper said it “safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user,” and recommended that the researcher submit his report to Google “since it is specifically related to the Android platform.”
Google and Enpass did not respond to TechCrunch’s questions. LastPass spokesperson Elizabeth Bassler did not comment by press time.
Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.