Black Hat Europe – London – Researchers have shown how the most widely used password managers can leak credentials from Android devices when the mobile operating system’s WebView autofill capability is used with malicious apps.
At the Black Hat Conference in Europe this week, Ankit Gangwal of the International Institute of Information Technology (IIIT) showed how Mobile applications that use WebView controls can cause credential leaks Of many password managers.
Gangwal and his students, Shubham Singh and Abhijit Srivastava, uncovered a credential leaking vulnerability they called “AutoSpill.” In a paper they presented In April on ACM Conference on Application and Data Security and Privacy (CODASPY). The white paper, which won top honors at the CODASPY event, details how AutoSpill could inadvertently leak Android-based WebView autofill functionality into password managers on mobile devices.
This discovery comes as the use of password managers accelerates. In the US, 34% use password managers, up from 21% in 2022, according to Security.org’s annual report.Password Management Industry Report and Market Forecast“.
Gangwal explains that he and the students found out Top 10 password managers Vulnerable to AutoSpill, where the application can reveal username and password credentials when calling a WebView. According to Gangwal, it is an issue when a user unintentionally downloads a malicious app.
Credential theft: “No phishing required”
“If it’s a malicious app, it will receive the credentials for free,” Gangwal says. “No need to phishing, no need to cheat, no need to anything. The worst part is that such apps can remain in the official stores [i.e., Google Play]as they can be distributed to a larger user base, which makes this problem more serious, in my opinion.”
Gangwal says he’s not aware of anyone taking advantage of AutoSpill. “I hope no one takes advantage of it,” he says. “The moment we discovered this thing, we documented everything. We shared it with the affected password managers and the Google team.” After publishing the paper, Gangwal emailed the paper to all password management providers. One person, whom Gangwal did not identify, failed to respond despite numerous contact attempts. Many who responded deferred the issue to Google.
“They said it’s not our responsibility, it’s an Android problem,” Gangwal recalls. “We try to argue with them again and again. We invested a lot of time in communicating and explaining the problem to them. They completely denied everything.”
One of the people who responded was 1Password, which Gangwal says promised to fix the issue.
In a brief response to an inquiry from Dark Reading, Pedro Canahuati, CTO at 1Password, confirmed that a fix is in the works. “While the fix will further strengthen our security posture, 1Password’s autofill functionality is designed to require a clear user action,” Canahwati says. “The update will provide additional protection by preventing native fields from being filled with credentials intended only for Android WebView.”
Meanwhile, Gangwal says Google has given the AutoSpill vulnerability a priority 2 and a severity rating of 2 through its bug hunting community program. Although the progress of the investigation into the bug-hunting program has not been announced, Gangwal says, “They have responded several times that they are trying to fix it.”
When contacted for comment, a Google spokesperson provided the following response to Dark Reading:
“WebView is used in several ways by Android developers, including hosting login pages for their own services in their apps,” he says. “This issue is related to how password managers take advantage of autofill APIs when interacting with WebView. We recommend third-party password managers We require external users to be sensitive about where passwords are entered, and we have done so Web presentation best practices Which we recommend all password managers implement.”
“Android provides password managers with the context needed to differentiate between native views and WebViews, as well as whether the WebView being loaded is not associated with the hosting application. For example, when using Google Password Manager for autofill on Android,” he adds, users are warned If they are entering a password for a domain that Google determines may not be owned by the hosting application, and the password is just filled in the appropriate field. Google implements server-side protections for WebView logins.”
Potential treatments
Gangwal notes that password managers can mitigate risks by associating the web domain with an input field that includes the username and password. “This way, they can develop a safer coupling.”
Gangwal believes the ultimate remedy is to remove passwords completely Pass keysdigital credentials that enable passwordless authentication using private encryption keys based on FIDO Alliance specifications implementing the World Wide Web Consortium (W3C) WebAuthn standard.
“I think passkeys will solve this whole problem because they are signature-based, and you need to explicitly grant permission to every app that can access the passkey,” he says. “However, being researchers, let’s see what happens because what we are studying now is incomplete. But we believe we will see promising results.”
Android WebView vulnerabilities pose a significant threat to user privacy and security, particularly when it comes to managing sensitive information such as passwords. Password managers, a popular tool for securely storing and autofilling passwords, have been found to be vulnerable to leaking user credentials due to these WebView vulnerabilities. As more and more users rely on password managers to keep their accounts secure, it is crucial to address these vulnerabilities to protect their personal information from potential exploitation. In this article, we will delve into the risks posed by Android WebView vulnerabilities on password managers and explore potential solutions to mitigate these threats.