Several well-known mobile password managers are unexpectedly leaking user credentials due to a flaw in Android apps' autofill feature.
This flaw, named "AutoSpill," risks exposing users' stored credentials from mobile password managers by bypassing Android's secure autofill system, as discovered by IIIT Hyderabad university researchers Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava. Their findings were shared at Black Hat Europe.
These researchers observed that when an Android app displays a login page in WebView, password managers might incorrectly determine where to input user credentials, inadvertently revealing them to the app. This issue stems from WebView's design, which allows in-app web content display without opening a browser, triggering an autofill request.
Gangwal, speaking to TechCrunch, illustrated this with an example of logging into a music app via Google or Facebook. Ideally, the password manager should fill credentials only on the loaded Google or Facebook page. However, they found that autofill could mistakenly reveal credentials to the base app.
Gangwal emphasized the significant risk of this vulnerability, particularly with malicious base apps, which could access sensitive information without phishing.
The team tested AutoSpill on widely-used password managers like 1Password, LastPass, Keeper, and Enpass on modern Android devices. They found that most apps were prone to credential leakage, with the risk increasing when JavaScript injection was enabled.
1Password and Keeper responded to TechCrunch about addressing this issue. Pedro Canahuati, 1Password's CTO, mentioned a forthcoming fix to strengthen security, ensuring credentials are only filled in intended fields. Craig Lurey, Keeper's CTO, acknowledged the potential vulnerability but didn't confirm any specific fixes.
Google and Enpass did not respond to inquiries, while LastPass had an existing mitigation via an in-app warning, later updated for clarity.
Gangwal reported these findings to Google and the affected password managers. The research team is further exploring potential credential extraction from app to WebView and the possibility of replicating this vulnerability on iOS.