Android Vulnerability Exposes Credentials From Mobile Password Managers (techcrunch.com) 22
An anonymous reader quotes a report from TechCrunch: A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed "AutoSpill," can expose users' saved credentials from mobile password managers by circumventing Android's secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and presented their research at Black Hat Europe this week. The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can get "disoriented" about where they should target the user's login information and instead expose their credentials to the underlying app's native fields, they said. This is because WebView, the preinstalled engine from Google, lets developers display web content in-app without launching a web browser, and an autofill request is generated.
"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
"Let's say you are trying to log into your favorite music app on your mobile device, and you use the option of 'login via Google or Facebook.' The music app will open a Google or Facebook login page inside itself via the WebView," Gangwal explained to TechCrunch prior to their Black Hat presentation on Wednesday. "When the password manager is invoked to autofill the credentials, ideally, it should autofill only into the Google or Facebook page that has been loaded. But we found that the autofill operation could accidentally expose the credentials to the base app." Gangwal notes that the ramifications of this vulnerability, particularly in a scenario where the base app is malicious, are significant. He added: "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information."
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass, on new and up-to-date Android devices. They found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all the password managers were susceptible to their AutoSpill vulnerability. Gangwal says he alerted Google and the affected password managers to the flaw. Gangwal tells TechCrunch that the researchers are now exploring the possibility of an attacker potentially extracting credentials from the app to WebView. The team is also investigating whether the vulnerability can be replicated on iOS.
Free, open-source bitwarden (Score:3)
Bitwarden [bitwarden.com] isn't mentioned in TFA so it must be immune to this hack.
I jest, I jest. Still, I recommend Bitwarden.
Re: (Score:3)
Based on the description of how the hacking technique works, I'm pretty sure it would work against any password manager.
Re: (Score:3)
Any password manager that does auto-fill. Which is why I never liked to have a password manager with auto-fill capability.
Re: (Score:3)
I believe most password managers have autofill off by default - but you can enable it.
IIRC Bitwarden, at least, warns you when you do so that autofill is potentially insecure.
Re: (Score:2)
I use NordPass, which does not appear to fill a field until it gets focus, usually after I have clicked or tapped on it.
Does this vulnerability include faking a visible UI component getting focus?
Re: (Score:2)
Yeah, Google would have to create a sandboxed Webview that apps can't access but through an API.
Maybe it should but if you're pasting a password into an app the surprise would be if the app couldn't see the password. I am not sure this 'discovery' needs a marketing name though the issue is worth attention.
What has me more concerned is that if I'm buying a book with, say Thriftbooks, which accepts Paypal, it opens a Webview to Paypal instead of opening the Paypal app on my phone.
Why is this the default Paypa
Re: (Score:3)
Let me give a shout out for Keepass2Android [google.com], which fills in passwords by bundling a keyboard app which simply has a button that types your username/password/whatever. However it sometimes fills both fields with one click, and that aspect sounds like it might be vulnerable to this attack.
Though in my opinion, you should not be entering your Facebook credentials into any app except Facebook. That is an inherent vulnerability.
Stop doing things (Score:2)
Once again, developers thinking they know more than user. Nothing should be done unless the user explicitly does something. This applies equally well to sites which try to "autofill" what you're typing. Stop it. You do nothing except what the user says.
This bullshit needs to stop. As seen here, it only introduces more vu
Didn't mention Firefox (Score:3)
The researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper and Enpass
The question is, does Firefox leak info when used as a password manager? Not inside of Firefox, but when it supplies passwords to WebView.
Re: Didn't mention Firefox (Score:2)
"Firefox does not supply passwords to WebView."
Isn't the whole point of this story that the password managers supply passwords to webview? Firefox can act as a password manager on Android and auto fill passwords in other apps. Do you not even know that?
Is there such a thing as releasing too fast ? (Score:1)
That's exactly what you get with the release-fast attitude. A bunch of crap that nobody took care of thinking through.
You can read all about the good things about it here [businessinsider.com]
A bad idea (Score:3)
Handing your authentication duties to a third computer is a bad idea. Nobody wanted Microsoft Passport but everyone happily wants Facebook and now Google/Chrome to handle their accounts for them.
I got a security key so I can change (technically downgrade) Google accounts to password/OTP. First I had to enable password authentication because horrifically, Google automatically disables that when a key is installed. It's 'your phone is your password' thinking and it's still wrong.
To allow people to share one computer/account the key can store multiple trigger passwords. Trigger passwords, instead of a button on the key, supposedly controls which people can access the account. However, the key doesn't require a login password, so anyone can add another trigger password and use their password to access the account. The key doesn't have time-stamps so I don't know when another password has been added, or a password replaced.
Yes, it depends on physical access but when the key is being used by multiple people, that might not be difficult. I've seen workplaces where the security key is plugged into the computer all day, including during the lunch-break.
Re: (Score:2)
Yeah, it never seemed like a good idea to put all your credentials in a single place tied to an e-mail account.
There was a time when "log in with Facebook" was hard to avoid since dark patterns would coral you to that option.
Stupidity all around (Score:2)
Re: (Score:2)
All of these logins are happening on a web layer - the attack surface is already "centralized and standardized".
And rolling your own security is almost never a good idea.
Re: (Score:2)
He uses: "Hunter2" but changes the digit for each site.
Re: (Score:1)
Imagine (Score:2)
Imagine needing a login for your favorite music app https://play.google.com/store/... [google.com]
FIDO is the answer (Score:2)
Passwords are outdated and insecure, per se, all of them, all of the time.
Do not use passwords for anything accessible from the Internet. I repeat: Do not use passwords for anything ANY THING connected to the Internet.
Buy one dedicated, USB and NFC capable FIDO2 device, a one-time 50 USD investment, put it on your keychain to always carry it with you on person, register it for your primary identity provider(s) (usually the email service, where all the password-forgotten emails would go to) and find a good p