Some of the most popular Android mobile password managers have severe security weaknesses that might result in the worst possible problem for users, resulting in the leakage of their credentials.
The vulnerability, known as “Autospill,” is caused by a bug in the autofill function on Android devices.
Researchers from the International Institute of Information Technology (IIIT) Hyderabad made the discovery and recently presented their research at the Black Hat Europe conference.
HOW VULNERABLE IS ‘AUTOSPILL’
Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava discovered that when an Android app loads a login page in WebView, password managers can become “disoriented” about where they should target the user’s login information instead of exposing their credentials to the underlying app’s native fields.
Due to the fact that WebView, Google’s preinstalled engine, allows developers to show web content in-app without starting a web browser, an autofill request is made.
“Let’s say you are trying to log into your favorite music app on your mobile device, and you use the option of ‘login via Google or Facebook.’ The music app will open a Google or Facebook login page inside itself via the WebView,”
Gangwal explained to TechCrunch before the Black Hat presentation on Wednesday.
Gangwal warns that the implications of this issue are severe, especially when the underlying app is malicious.
“Any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” he continued.
The AutoSpill vulnerability was tested on new and updated Android smartphones utilising some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass.
They discovered that most apps were susceptible to credential leaks even with JavaScript injection turned off.
When JavaScript injection was enabled, all password managers were vulnerable to the AutoSpill vulnerability.
Gangwal claims he informed Google and the password managers affected by the flaw.