Some popular mobile password managers are accidentally leaking user credentials due to a vulnerability in the autofill feature of Android apps.
The vulnerability, called “AutoSpill", can expose stored user credentials from mobile password managers, bypassing Android's secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a WebView login page, password managers can become "disoriented" with where to target the user's login information and instead expose their credentials on the normal login page, they market them to attackers. This is because WebView, the pre-installed engine from Google, allows developers to display web content within the application without launching a browser.
“Let's say you're trying to sign in to your favorite music app on your mobile device and you're using the 'sign in with Google or Facebook' option. The music app will open a Google or Facebook login page within it through WebView,” Gangwal explained to TechCrunch ahead of Wednesday's Black Hat presentation.
“When the password manager is called upon to autofill credentials, ideally, it should autofill only on the loaded Google or Facebook page. But we found that the autofill feature could accidentally expose credentials in the core app as well.” Gangwal notes that the implications of this vulnerability, particularly in a scenario where the underlying application is malicious, are significant. He added:
"Even without phishing, any malicious app that asks you to log in through another website, such as Google or Facebook, can automatically access sensitive information."
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices.
They found that most apps were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were vulnerable to the vulnerability. Gangwal says he notified Google and affected password managers about the flaw. His team is also investigating whether the vulnerability can be replicated on iOS.