Some of the most popular mobile password managers on Android have a serious security flaw that could cause the worst problem possible for users - leaking their credentials.
Known as "Autospill," the vulnerability involves a bug in the autofill function on Android devices.
It was discovered by researchers at the International Institute of Information Technology (IIIT) Hyperabad, who presented their findings at the recent Black Hat Europe conference.
Autospill security risk
The problem arises when an app login page is loaded in WebView, which is Google's engine for letting developers display web content inside an app without going into a browser. This confuses the password manager about where to autofill the password, and instead it can mistakenly "expose the credentials to the base app," Ankit Gangwal, one of the researchers involved, told TechCrunch.
What it should do is autofill a user's credentials in the WebView login page that appears in the app. Gangwal cautions that this poses a significant threat in the case of malicious apps, as they could exploit the flaw to gain a user's credentials automatically, without the need to run phishing campaigns.
The password managers that the researchers claim to have tested the flaw on include 1Password, LastPass, Keeper, and Enpass - some of the most popular and best password managers around. They also said that the Android devices they used were new and up-to-date.
Apparently, most of the aforementioned apps were vulnerable to Autospill, even when JavaScript injection was disabled. When enabled, however, all of them were susceptible to the flaw.
Google and the relevant password managers have been notified of the flaw. 1Password told TechCrunch that it will be working to fix the flaw, while Keeper asked for a video demonstration of the flaw in action.
After seeing it, Keeper CTO Craig Lurey believed that, "the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record."
Lurey further defended the security posture of Keeper by saying it has, "safeguards in place to protect users against automatically filling credentials into an untrusted application." He also advised the researchers share their findings with Google, as the problem relates to the Android platform specifically.
LastPass told TechCrunch that it already had a pop-up warning in place to alert users of potential autofilling dangers, but in light of the research said it will now add "more informative wording" to the notification.
The researchers said they will be testing the flaw on iOS devices too.
Update 12/8: Since the publication of this article, A Google spokesperson reached out to TechRadar Pro to explain that the flaw, "is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app."
