Vulnerability in Android Password Managers Exposes User Credentials

Numerous widely-used mobile password managers have unintentionally leaked user credentials due to a flaw in the autofill feature of Android apps, TechCrunch is reporting.

Dubbed “AutoSpill,” this vulnerability bypasses Android’s secure autofill mechanism, allowing exposure of stored credentials.

Researchers from IIIT Hyderabad uncovered and presented this vulnerability at Black Hat Europe.

When Android apps load a login page in WebView, password managers get confused about where to input the user’s login information.

Consequently, credentials are exposed to the underlying app’s native fields, despite WebView being Google’s preinstalled engine to display web content in-app.

Ankit Gangwal, one of the researchers, explained that even legitimate actions like logging in through Google or Facebook within an app can expose credentials to the base app.

Gangwal highlighted that if the base app turns malicious, the vulnerability’s impact could be severe.

The team tested popular password managers like 1Password, LastPass, Keeper, and Enpass on updated Android devices.

They discovered vulnerability in most apps, persisting even with JavaScript injection disabled. Enabling JavaScript injection exacerbated the issue across all tested password managers.

Google and affected password managers were alerted to the flaw by Gangwal.

While 1Password’s CTO, Pedro Canahuati, confirmed they’re working on a fix, Keeper’s CTO, Craig Lurey, mentioned being notified of a potential issue but didn’t confirm any fixes.

LastPass had a prior mitigation in place, including an in-product warning, which they enhanced after analyzing the researchers’ findings.

The researchers are exploring the potential of attackers extracting credentials from apps to WebView. Additionally, they’re investigating if this vulnerability affects iOS platforms.