Top mobile password managers could be exposing user details
Some of the most popular mobile password managers on Android have a serious security flaw that can cause the worst problem for users: leaking their credentials.
The vulnerability is known as 'Autospill' and concerns a bug in the autofill feature on Android devices.
It was discovered by researchers from the International Institute of Information Technology (IIIT) Hyperabad, who presented their findings at the recent Black Hat Europe conference.
Autospill security risk
The issue occurs when an app login page loads in WebView, Google's engine that allows developers to display web content in an app without opening a browser. This confuses the password manager as to where to autofill the password, and instead may accidentally “expose the login credentials to the base app,” Ankit Gangwal, one of the researchers involved, told me. TechCrunch.
What it's supposed to do is auto-populate a user's credentials on the WebView login page that appears in the app. Gangwal warns that this poses a significant threat in the case of malicious apps, as they can exploit the flaw to automatically obtain a user's credentials without having to run phishing campaigns.
The password managers that the researchers claim to have tested the flaw on include 1Password, LastPass, Keeper, and Enpass – some of the most popular and best password managers out there. They also said that the Android devices they used were new and up to date.
Apparently, most of the above-mentioned apps were vulnerable to Autospill even with JavaScript injection disabled. However, when enabled, they were all susceptible to the error.
Google and the relevant password managers have been notified of the error. 1Password told TechCrunch that it will work to fix the bug, while Keeper requested a video demonstration of the bug in action.
After seeing it, Keeper CTO Craig Lurey believed that “the researcher first installed a malicious application and then accepted a request from Keeper to force the malicious application's association with a Keeper password record.”
Lurey further defended Keeper's security posture, saying that it has “implemented safeguards to protect users from auto-filling login credentials in an untrusted application.” He also advised the researchers to share their findings with Google as the issue specifically affects the Android platform.
LastPass told TechCrunch that it already had a pop-up alert warning users about potential dangers of autofill, but that in light of the investigation it will now add “more informative wording” to the notification.
The researchers said they will also test the flaw on iOS devices.