Numerous widely used mobile password managers may inadvertently expose user credentials due to a vulnerability in the autofill functionality of Android apps. Researchers from the International Institute of Information Technology (IIIT) Hyderabad discovered the flaw, named “AutoSpill,” which can compromise users’ saved credentials by bypassing Android’s secure autofill mechanism. The research findings were presented at Black Hat Europe.

The team, consisting of Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, observed that when an Android app loads a login page in WebView, password managers can become “disoriented,” potentially revealing credentials to the native fields of the underlying app. WebView, a preinstalled engine by Google, allows developers to display web content within an app without launching a web browser, triggering an autofill request.

Explaining the vulnerability, Gangwal used an example of logging into a music app using Google or Facebook credentials. In such cases, the autofill operation could mistakenly expose the credentials to the base app, raising concerns about the vulnerability’s implications, especially in the context of a malicious base app. Gangwal noted that even without phishing, a malicious app could automatically access sensitive information by prompting users to log in via another site.

The researchers tested the AutoSpill vulnerability on popular password managers like 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most apps were susceptible to credential leakage, even with JavaScript injection disabled. Enabling JavaScript injection made all password managers vulnerable to AutoSpill.

Gangwal promptly informed Google and the affected password managers about the flaw. Pedro Canahuati, CTO of 1Password, confirmed that the company is actively working on a fix for AutoSpill. He emphasized that the update would strengthen security by preventing native fields from being filled with credentials intended only for Android’s WebView.

Craig Lurey, CTO of Keeper, acknowledged being notified about a potential vulnerability but did not disclose if any fixes were implemented. Keeper suggested submitting the report to Google, citing its focus on the Android platform’s security.

While Google and Enpass did not respond to inquiries, LastPass had a mitigation in place before learning of the researchers’ findings. Alex Cox, director of LastPass’ threat intelligence team, stated that they enhanced the in-product pop-up warning after analyzing the reported exploit attempt.

Gangwal mentioned ongoing research into the possibility of attackers extracting credentials from the app to WebView. Additionally, the team is exploring whether the vulnerability can be replicated on iOS.

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Technology industry’s performance in America

The technology industry in America has witnessed remarkable growth in recent years,…

Push to Oust Byju’s Founder Grows 

Investors in Byju’s, a prominent edtech company, are pushing for changes in…

Meta’s Threads Skyrockets to 130M Monthly Users, Surging 30M from Q3 

Meta, the parent company of Instagram, happily shared that Instagram Threads is…

Elon Musk’s X misinformation report feature 

The tool which was available in the US, Australia and south Korea…