Android users warned of AutoSpill exploit that leaks password manager credentials
Six of the most popular password managers have been called out by security researchers who uncovered a major vulnerability that impacts the Android autofill function. The AutoSpill vulnerability enables hackers to bypass the security mechanisms protecting the autofill functionality on Android devices, exposing credentials to the host app calling for them.
What Is The Android AutoSpill Password Manager Vulnerability?
The researchers, Ankit Gangwal, Shubham Singh and Abhijeet Srivastava from the International Institute of Information Technology Hyderabad, presented their findings on December 6 at the Black Hat Europe hacker conference. The very aptly named AutoSpill vulnerability exists when an Android app calls for a login page using WebView. This pre-installed, default, Google component enables Android apps to display web content. App developers have their apps show web content in this way, within WebView, so executing a separate web browser isn’t required. Instead, the autofill function kicks in and requests the login credentials in question. So far, so good. Things get a little, well, a lot, less good when these credentials are filled following the invocation of a password manager. What should happen is the credentials are automatically inserted into the login field for the page that is being loaded. Instead, and this is where it becomes very concerning for most Android phone users, those credentials can also be shared with the host app itself. This common scenario, the researchers said, includes examples such as “in-app opening of hyperlinks in Skype or Gmail mobile apps.,” as well as “the Login with Apple/Facebook/Google button for user authentication within a third-party mobile app.”
Which Password Managers Are Vulnerable To AutoSpill?
Some of the most popular password managers were found to be vulnerable to an AutoSpill exploit. These included 1Password, LastPass, Enpass, Keeper, and Keepass2Android. When a JavaScript injection method was enabled, DashLane and Google Smart Lock were also susceptible to the credential-stealing attack. Although there is no evidence of AutoSpill being exploited in the wild, the researchers are at pains to point out that the ramifications of AutoSpill are highly dangerous. They say that a malicious app designed to harvest credentials while posing as an innocuous utility would not require any malicious code in the app itself. Which means it could be made available in the official app store. “We responsibly disclosed our findings to the affected password managers and Android security team. Different password managers and Google accepted our work as a valid issue,” the researchers said.
Pedro Canahuati, the chief technology officer at 1Password, said, “1Password’s autofill function has been designed to require the user to take explicit action,” and that a fix was in the works. ‘The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.”
Keeper chief technology officer Craig Lurey said, “On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website. On June 29, we informed the researcher of this information and also recommended that he submit his report to Google since it is specifically related to the Android platform.”
Alex Cox, director of threat intelligence with the LastPass mitigation and escalation team, told TechCrunch that “LastPass already had a mitigation in place via an in-product pop-up warning when the app detected an attempt to leverage the exploit. After analyzing the findings, we added more informative wording in the pop-up.”
A Google spokesperson told Bleeping Computer that “This issue is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement.”
A spokesperson for Enpass told me that “Ankit Gangwal from the research team at the Indian Institutes of Information Technology reached out to us in June 2022 about the AutoSpill vulnerability in the Android Autofill framework. That vulnerability was subsequently patched in Enpass 6.8.3, released September 29, 2022.“
I have reached out to the developers of Keepass2Android.
