A critical vulnerability, named “AutoSpill,” has been discovered in the autofill functionality of Android apps, leading several popular mobile password managers to inadvertently expose user credentials. Researchers from the IIIT Hyderabad presented their findings at Black Hat Europe, shedding light on the potential risks associated with this security flaw.
The AutoSpill vulnerability enables the exposure of saved credentials from mobile password managers by bypassing Android’s secure autofill mechanism. This flaw, as identified by Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, becomes apparent when an Android app loads a login page in WebView, causing password managers to misdirect autofill to the app’s native fields. WebView, a preinstalled engine from Google, allows developers to display web content within an app without launching a separate web browser.
To illustrate, when logging into a mobile app using the “login via Google or Facebook” option, WebView opens a Google or Facebook login page within the app. The password manager, designed to autofill credentials, may inadvertently expose them to the app’s native fields instead of limiting autofill to the loaded Google or Facebook page. This disorientation in autofill targeting creates a vulnerability that could potentially be exploited by a malicious app.
The researchers emphasize that the consequences of the AutoSpill vulnerability are particularly significant in scenarios involving a malicious base app. Even without resorting to phishing tactics, a rogue app could coerce users into logging in via Google or Facebook, automatically gaining access to sensitive information.
The researchers conducted tests on popular password managers, including 1Password, LastPass, Keeper, and Enpass, using new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. Enabling JavaScript injection increased susceptibility, affecting all tested password managers.
Upon discovering the flaw, Ankit Gangwal promptly alerted Google and the affected password manager providers. 1Password’s Chief Technology Officer, Pedro Canahuati, mentioned that they are actively working on a fix to strengthen their security posture. Keeper’s Chief Technology Officer, Craig Lurey, acknowledged notification of a potential vulnerability but did not disclose whether fixes were implemented. LastPass had pre-existing mitigation in place, which was further enhanced after analyzing the researchers’ findings.
The researchers are now exploring the potential for attackers to extract credentials from the app to WebView. Additionally, they are investigating whether the AutoSpill vulnerability can be replicated on iOS.
The AutoSpill vulnerability serves as a stark reminder of the intricate security challenges facing mobile password managers. As providers work diligently to address and patch these vulnerabilities, users are advised to stay vigilant and consider additional security measures to safeguard their sensitive information. The collaborative efforts between researchers and providers play a crucial role in maintaining the integrity of password management systems and ensuring user data remains protected.
