Android Vulnerability exposes credentials from password managers

Some popular mobile password managers are accidentally leaking user credentials due to a vulnerability in the autofill feature of Android apps. password managers

The vulnerability, called “AutoSpill", can expose stored user credentials from mobile password managers, bypassing Android's secure autofill mechanism, according to university researchers at IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week.

The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a WebView login page, password managers can become "disoriented" with where to target the user's login information and instead expose their credentials on the normal login page, they market them to attackers. This is because WebView, the pre-installed engine from Google, allows developers to display web content within the application without launching a browser.

“Let's say you're trying to sign in to your favorite music app on your mobile device and you're using the 'sign in with Google or Facebook' option. The music app will open a Google or Facebook login page within it through WebView,” Gangwal explained to TechCrunch ahead of Wednesday's Black Hat presentation.

“When the password manager is called upon to autofill credentials, ideally, it should autofill only on the loaded Google or Facebook page. But we found that the autofill feature could accidentally expose credentials in the core app as well.” Gangwal notes that the implications of this vulnerability, particularly in a scenario where the underlying application is malicious, are significant. He added:

"Even without phishing, any malicious app that asks you to log in through another website, such as Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices.

They found that most apps were vulnerable to credential leaks, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were vulnerable to the vulnerability. Gangwal says he notified Google and affected password managers about the flaw. His team is also investigating whether the vulnerability can be replicated on iOS.

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).