Some mobile password managers could be leaking users’ credentials thanks to an autofill susceptibility in some Android apps.
The problem, which has been cleverly labelled as ‘AutoSpill,’ can expose users’ saved passwords from mobile managers by evading Android’s secure autofill mechanism.
The unsavoury news comes from university researchers at the International Institute of Information Technology, Hyderabad, who presented their findings at a computer security conference event called Black Hat Europe.
The full study is extremely detailed, but the main problem is certain password managers become confused about where the user’s login information should be targeted when an app uses WebView, leading to credentials being exposed to the underlying app. WebView is a tool in Android for rendering webpages without going through a web browser, and is often used by apps to display login pages and other content without bouncing users out of the app and into Chrome or another browser.
One researcher on the project, Ankit Gangwal, says that the release of users’ credentials poses a significant security risk. “Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” said Gangwal.
Popular password managers such as Enpass, 1Password, LastPass and Keeper were tested for the AutoSpill vulnerability, with all showing signs of potential credential leakage.
Thankfully, Gangwal has alerted Google and the affected password managers to the susceptibility, with some of the companies already telling TechCrunch that they are looking for ways to solve the issue.
Further, the team of student researchers is currently looking into whether the vulnerability can be replicated on iOS. It’s also exploring scenarios in which attackers could extract credentials from the app to WebView.
Credential Manager, Google’s own password security program that works with apps like 1Password and Enpass, launched on November 1st.
Source: TechCrunch