Password managers leaking credentials in Android apps

Several popular password managers have been leaking user credentials due to a vulnerability in the autofill function of Android apps, TechCrunch reports.

Researchers at IIIT Hyderabad discovered the vulnerability — dubbed “AutoSpill” — and found that it can expose saved passwords by bypassing Android’s autofill functionality.

Effectively, what happens is that when an Android app pulls up a WebView login page, password managers can get disoriented regarding where they should fill in the user’s login information.

This results in the password manager exposing their credentials to the app’s native fields.

“Let’s say you are trying to log into your favourite music app on your mobile device, and you use the option of ‘login via Google or Facebook’,” IIIT Hyderabad researcher Ankit Gangwal said.

“The music app will open a Google or Facebook login page inside itself via the WebView.”

“When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app.”

He added that malicious apps that ask you to sign in via another site, such as Google or Facebook, can access user credentials even without any phishing attempt.

The researchers found that most popular password managers, including LastPass, 1Password, Keeper, and Enpass, were vulnerable to exposing login credentials, even with JavaScript injection disabled.

Testing with JavaScript injection revealed that all password managers were susceptible to the flaw.

Pedro Canahuati, chief technology officer at 1Password, told MyBroadband that the company is aware of the problem and is working on a fix.

“A fix for AutoSpill has been identified and is currently being worked on,” said Canahuati.

“While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action.”

“The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView,” he added.

Now read: 16-year-old reverse-engineers iMessage for Android app — Report

Latest news

Partner Content

Show comments


Share this article
Password managers leaking credentials in Android apps