Use a password manager? Be careful where you autofill on Android

SUMMARY

  •  Researchers have discovered a vulnerability among Android password managers, deemed “AutoSpill,” which could allow malicious apps to steal user credentials while autofilling login details.
  •  The researchers said they tested the vulnerability on multiple Android devices, although seemingly on older models.
  •  Several password manager brands are already addressing the vulnerability, with some offering enhanced warnings to users.

Password managers serve an essential role in simplifying our online activity. They can securely store troves of accounts and their corresponding passwords, with the convenience of automatically filling out the details when signing into a new service. Despite the safeguards put in place by Google and password managers, the evolving nature of mobile security means new vulnerabilities keep popping up. Researchers from the International Institute of Information Technology (IIIT) in Hyderabad, India, have uncovered a new issue with some password managers on Android, wherein malicious apps can steal or capture the user’s credentials in WebView, particularly when the password manager tries to autofill login credentials.

Named “AutoSpill,” this vulnerability was jointly discovered by Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, who have reportedly gotten in touch with makers of the password manager apps they tested this on — 1Password, LastPass, Keeper, and Enpass — as well as Google. They presented their findings in detail at the recently concluded BlackHat Europe 2023, a well-known annual cybersecurity forum.

The trio of researchers conducted the tests on “new and up-to-date Android devices,” according to TechCrunch. However, one of the slides from their presentation reveals the use of a Poco F1 running Android 10 and the December 2020 security patch, the Samsung Galaxy A52 (Android 12, April 2022 patch), and the Galaxy Tab S6 Lite (Android 11, January 2022 patch). With no Android 13 or Android 14 phones used to test this vulnerability, we cannot rule out the notion that Google is already aware of it or has maybe even fixed it with the more recent releases of Android.

WebView on Android opens a webpage inside the app without switching to your primary mobile browser. This is generally used during in-app sign-ins, and other scenarios, to make things a little smoother. Most users are pretty familiar with the Sign in with Google or Sign in with Facebook options that appear when logging into a service inside the app. Password managers are designed to fetch and autofill your login details as a means of saving time, and this is where the AutoSpill vulnerability comes into the equation, per the researchers.

In a conversation with TechCrunch, the researchers said that password managers can be “disoriented” about where the login details should go and hence reveal the sensitive data to the “base app” instead.

“When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app,” researcher Gangwal told TechCrunch.

We reached out to the makers of the popular password manager BitWarden, who wrote back with the following statement:

Bitwarden was not listed in this research and has not been notified by the researchers that it affects Bitwarden. Bitwarden is currently investigating the details and will address it if needed.

Meanwhile, 1Password said it’s aware of this vulnerability and that the company is in the process of rolling out a fix. The CTO of Keeper, Craig Lurey, said its service has safeguards “to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user.”

On the other hand, the Director of threat intelligence at LastPass, Alex Cox, told TechCrunch that their service already included a warning pop-up for apps that try to take advantage of this exploit even before the vulnerability was revealed at Black Hat. Cox went on to say that the team has added more “informative wording” to the pop-up since this new revelation.

As for the three researchers’ next steps, they are supposedly trying to replicate this same attack on Apple’s iOS while also trying to learn if a potential attacker can fetch details from the app and onto the WebView page.

To be clear, an attacker can only be successful in exploiting AutoSpill if the user is on WebView within an unknown or malicious app. Furthermore, your personal Android phone may not require autofill from password manager apps, especially if you’re signing in with the device’s primary Google account. In our experience, password managers have been somewhat unreliable in accessing autofill for login, so we mostly end up using the good old copy/paste method. We’re curious to see what Google makes of this exploit now that makers of password manager apps have already confirmed this is an issue.

NOTE:: This article is copyright by androidpolice.com and we are using it or educational or Information purpose only

Best Cyber Security Products & Solutions