A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps.
The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get “disoriented” about where they should target the user’s login information and instead expose their credentials to the underlying app’s native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.
“Let’s say you are trying to log into your favorite music app on your mobile device, and you use the option of ‘login via Google or Facebook.’ The music app will open a Google or Facebook login page inside itself via the WebView,” Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday.
“When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app.”
Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: “Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information.”
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability.
Gangwal says he alerted Google and the affected password managers to the flaw.
Google did not comment when reached prior to publication, but later told TechCrunch that the company recommends that third-party password managers “be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement,” said Google spokesperson Ed Fernandez.
“Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app. For example, when using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field. Google implements server side protections for logins via WebView,” the Google spokesperson noted.
1Password chief technology officer Pedro Canahuati told TechCrunch that the company has identified and is working on a fix for AutoSpill. “While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action,” said Canahuati. “The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.”
Keeper CTO Craig Lurey said in remarks shared with TechCrunch that the company was notified about a potential vulnerability, but did not say if it had made any fixes. “We requested a video from the researcher to demonstrate the reported issue. Based upon our analysis, we determined the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record,” said Lurey.
Keeper said it “safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user,” and recommended that the researcher submit his report to Google “since it is specifically related to the Android platform.”
Enpass did not respond to TechCrunch’s questions. Alex Cox, director of LastPass’ threat intelligence, mitigation and escalation team, told TechCrunch that prior to being made aware of the researchers’ findings, LastPass already had a mitigation in place via an in-product pop-up warning when the app detected an attempt to leverage the exploit. “After analyzing the findings, we added more informative wording in the pop-up,” Cox said.
Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.