Six of the most popular password managers have been recalled by security researchers who discovered a major vulnerability affecting Android’s autofill functionality. The AutoSpill vulnerability allows hackers to bypass security mechanisms that protect the autofill functionality on Android devices, exposing credentials to the host application that calls it.
What is the vulnerability in AutoSpill password manager for Android?
The researchers, Ankit Gangwal, Shubham Singh, and Abhijit Srivastava of the International Institute of Information Technology in Hyderabad, presented their findings on December 6 at the BlackHat Europe Hacking Conference. The very aptly named AutoSpill vulnerability exists when an Android application calls the login page using a WebView. Google’s pre-installed default component allows Android apps to display web content. Application developers require their applications to display web content this way, within a WebView, so no separate web browser implementation is required. Instead, the autofill function starts and requests the respective login credentials. So far, so good. Things get a little less good, well, a lot, when those credentials are populated after calling up a password manager. What should happen is that the credentials are automatically inserted into the login field of the page that loads. Instead, and this is where it gets very worrying for most Android phone users, these credentials can also be shared with the host app itself. This common scenario includes examples such as “opening in-app hyperlinks in Skype or Gmail mobile apps,” as well as a “Sign in with Apple/Facebook/Google button to authenticate the user within a third-party mobile phone,” the researchers said. program.”
Which password managers are at risk of automatic leakage?
Some of the most popular password managers have been shown to be vulnerable to the AutoSpill exploit. These include 1Password, LastPass, Enpass, Keeper, and Keepass2Android. When JavaScript injection was enabled, DashLane and Google Smart Lock were also vulnerable to a credential theft attack. Although there is no evidence of AutoSpill being exploited in the wild, researchers are doing their best to point out that the consequences of AutoSpill are very serious. They say that a malicious app designed to collect credentials while pretending to be a harmless utility would not require any malicious code in the app itself. Which means it can be made available on the official app store. “We responsibly disclosed our findings to the affected password managers and the Android Security team. Various password managers and Google accepted our work as a valid issue,” the researchers said.
“1Password’s autofill function is designed to ask the user to take an explicit action,” said Pedro Canahuate, chief technology officer at 1Password, and that work is underway to fix this issue. “The update will provide additional protection by preventing native fields from being filled with credentials intended only for Android WebView.”
“On Android, Keeper prompts the user when they attempt to autofill credentials in an Android app or website,” said Craig Lowry, chief technology officer at Keeper. “On June 29, we reported this information to the researcher and also recommended that they submit their report to Google as it specifically relates to the Android platform.” .
“LastPass already had mitigation with a pop-up warning within the product when the app detected an attempt to leverage the exploit,” Alex Cox, director of threat intelligence on LastPass’s mitigation and escalation team, told TechCrunch. “After analyzing the results, we added more informative language to the pop-up.
A Google spokesperson told Bleeping Computer, “This issue relates to how password managers take advantage of autofill APIs when interacting with WebViews. We recommend third-party password managers to be sensitive about where passwords are entered, and we have WebView best practices that We recommend that all password managers implement it.
I’ve reached out to the developers of Enpass and Kepass2Android and will update this article with any data.
Follow me Twitter Or LinkedIn. paying off My website or some of my other work is here.
In today’s digital age, the security of our personal information has become a top concern. With the prevalence of Android devices and the use of password management apps like 1Password, DashLane, LastPass, and others, the potential for password leaks has become a frightening reality. As more and more users rely on these apps to store and manage their sensitive information, the discovery of vulnerabilities and security breaches has raised alarm bells for Android users. It is crucial for individuals to be aware of the potential risks associated with these popular password management apps in order to protect their valuable personal data.