Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Android

Android Vulnerability Exposes Credentials From Mobile Password Managers (techcrunch.com) 22

An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."

The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.

This discussion has been archived. No new comments can be posted.

Android Vulnerability Exposes Credentials From Mobile Password Managers

Comments Filter:
  • by echo123 ( 1266692 ) on Thursday December 07, 2023 @08:20AM (#64063215)

    Bitwarden [bitwarden.com] isn't mentioned in TFA so it must be immune to this hack.

    I jest, I jest. Still, I recommend Bitwarden.

    • Based on the description of how the hacking technique works, I'm pretty sure it would work against any password manager.

      • Any password manager that does auto-fill. Which is why I never liked to have a password manager with auto-fill capability.

        • I believe most password managers have autofill off by default - but you can enable it.

          IIRC Bitwarden, at least, warns you when you do so that autofill is potentially insecure.

        • by LesFerg ( 452838 )

          I use NordPass, which does not appear to fill a field until it gets focus, usually after I have clicked or tapped on it.

          Does this vulnerability include faking a visible UI component getting focus?

      • Yeah, Google would have to create a sandboxed Webview that apps can't access but through an API.

        Maybe it should but if you're pasting a password into an app the surprise would be if the app couldn't see the password. I am not sure this 'discovery' needs a marketing name though the issue is worth attention.

        What has me more concerned is that if I'm buying a book with, say Thriftbooks, which accepts Paypal, it opens a Webview to Paypal instead of opening the Paypal app on my phone.

        Why is this the default Paypa

      • by piojo ( 995934 )

        Let me give a shout out for Keepass2Android [google.com], which fills in passwords by bundling a keyboard app which simply has a button that types your username/password/whatever. However it sometimes fills both fields with one click, and that aspect sounds like it might be vulnerable to this attack.

        Though in my opinion, you should not be entering your Facebook credentials into any app except Facebook. That is an inherent vulnerability.

  • This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.

    Once again, developers thinking they know more than user. Nothing should be done unless the user explicitly does something. This applies equally well to sites which try to "autofill" what you're typing. Stop it. You do nothing except what the user says.

    This bullshit needs to stop. As seen here, it only introduces more vu
  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Thursday December 07, 2023 @08:57AM (#64063291) Homepage Journal

    The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass

    The question is, does Firefox leak info when used as a password manager? Not inside of Firefox, but when it supplies passwords to WebView.

  • That's exactly what you get with the release-fast attitude. A bunch of crap that nobody took care of thinking through.

    You can read all about the good things about it here [businessinsider.com]

  • by NotEmmanuelGoldstein ( 6423622 ) on Thursday December 07, 2023 @09:13AM (#64063323)

    ... login via Google or Facebook ...

    Handing your authentication duties to a third computer is a bad idea. Nobody wanted Microsoft Passport but everyone happily wants Facebook and now Google/Chrome to handle their accounts for them.

    I got a security key so I can change (technically downgrade) Google accounts to password/OTP. First I had to enable password authentication because horrifically, Google automatically disables that when a key is installed. It's 'your phone is your password' thinking and it's still wrong.

    To allow people to share one computer/account the key can store multiple trigger passwords. Trigger passwords, instead of a button on the key, supposedly controls which people can access the account. However, the key doesn't require a login password, so anyone can add another trigger password and use their password to access the account. The key doesn't have time-stamps so I don't know when another password has been added, or a password replaced.

    Yes, it depends on physical access but when the key is being used by multiple people, that might not be difficult. I've seen workplaces where the security key is plugged into the computer all day, including during the lunch-break.

    • Yeah, it never seemed like a good idea to put all your credentials in a single place tied to an e-mail account.

      There was a time when "log in with Facebook" was hard to avoid since dark patterns would coral you to that option.

  • Some folks are blaming the developers, and they do deserve it. But the users also deserve blame. I've been saying for decades that using a password manager just centralizes and standardizes the attack surface for hackers. If you put a password in digital form, it will be vulnerable. Password managers are a stupid idea. And no, I don't write down my passwords either. I have an algorithm for generating passwords that is not obvious when seen in plaintext, produces a different password for each site, can be up
  • Imagine needing a login for your favorite music app https://play.google.com/store/... [google.com]

  • Passwords are outdated and insecure, per se, all of them, all of the time.

    Do not use passwords for anything accessible from the Internet. I repeat: Do not use passwords for anything ANY THING connected to the Internet.

    Buy one dedicated, USB and NFC capable FIDO2 device, a one-time 50 USD investment, put it on your keychain to always carry it with you on person, register it for your primary identity provider(s) (usually the email service, where all the password-forgotten emails would go to) and find a good p

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...