Password managers on Android found to have scary vulnerability

In recent years, password managers have become a popular way to store and protect all of our passwords in a single place. Until tech companies can fully eliminate the need for passwords as we know them, these apps are often the best way to keep track of the dozens or even hundreds of passwords you have to remember. But as convenient as they are, there are still risks to using them, as researchers from IIIT Hyderabad showed by developing a new attack.

In a presentation at Black Hat Europe 2023, researchers from Hyderabad’s International Institute of Information Technology showed how they were able to steal saved credentials from password managers using a novel attack that they call AutoSpill.

As the researchers explain, many Android apps use WebView controls to load a webpage within a mobile app. These controls are often used to open hyperlinks or login pages. It turns out many of the top password managers on Android use WebView to automatically fill in users’ passwords when they load a login page for Apple, Facebook, Google, and other platforms. AutoSpill is able to take advantage of this process to steal data.

“AutoSpill violates Android’s secure autofill process,” the researchers explained. “We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable.”

BleepingComputer expounded on their report, noting that Android fails to enforce or define any responsibility for the secure handling of the auto-filled data. As a result, the data can leak out, or a rogue app can capture the data with relative ease.

The researchers used AutoSpill on popular password managers on devices running Android 10, Android 11, and Android 12. 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all susceptible to the attacks. The researchers were also able to infiltrate Google Smart Lock and DashLane, but they had to enable JavaScript injections.

The researchers say they disclosed their findings to the app developers as well as the Android security team. They note that Google and several password manager apps accepted their work as a valid issue and began working on fixes.

Several of the developers also responded to BleepingComputer’s request for comment about the findings. Here’s what Pedro Canahuati, CTO of 1Password, said:

Many people have become accustomed to using autofill to quickly and easily enter their credentials. Through a malicious app installed on the user’s device, a hacker could lead a user to unintentionally autofill their credentials. AutoSpill highlights this problem. 

Keeping our customers’ most important data safe is our utmost priority at 1Password. A fix for AutoSpill has been identified and is currently being worked on. 

While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action.

The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.

Even if this vulnerability no longer plagues more recent versions of Android or the apps in question, it’s yet another reminder to be diligent about mobile security.

In recent years, password managers have become a popular way to store and protect all of our passwords in a single place. Until tech companies can fully eliminate the need for passwords as we know them, these apps are often the best way to keep track of the dozens or even hundreds of passwords you have to remember. But as convenient as they are, there are still risks to using them, as researchers from IIIT Hyderabad showed by developing a new attack.

In a presentation at Black Hat Europe 2023, researchers from Hyderabad’s International Institute of Information Technology showed how they were able to steal saved credentials from password managers using a novel attack that they call AutoSpill.

As the researchers explain, many Android apps use WebView controls to load a webpage within a mobile app. These controls are often used to open hyperlinks or login pages. It turns out many of the top password managers on Android use WebView to automatically fill in users’ passwords when they load a login page for Apple, Facebook, Google, and other platforms. AutoSpill is able to take advantage of this process to steal data.

“AutoSpill violates Android’s secure autofill process,” the researchers explained. “We found that the majority of top Android PMs were vulnerable to AutoSpill; even without JavaScript injections. With JavaScript injections enabled, all of them were found vulnerable.”

BleepingComputer expounded on their report, noting that Android fails to enforce or define any responsibility for the secure handling of the auto-filled data. As a result, the data can leak out, or a rogue app can capture the data with relative ease.

The researchers used AutoSpill on popular password managers on devices running Android 10, Android 11, and Android 12. 1Password, LastPass, Enpass, Keeper, and Keepass2Android were all susceptible to the attacks. The researchers were also able to infiltrate Google Smart Lock and DashLane, but they had to enable JavaScript injections.

The researchers say they disclosed their findings to the app developers as well as the Android security team. They note that Google and several password manager apps accepted their work as a valid issue and began working on fixes.

Several of the developers also responded to BleepingComputer’s request for comment about the findings. Here’s what Pedro Canahuati, CTO of 1Password, said:

Many people have become accustomed to using autofill to quickly and easily enter their credentials. Through a malicious app installed on the user’s device, a hacker could lead a user to unintentionally autofill their credentials. AutoSpill highlights this problem. 

Keeping our customers’ most important data safe is our utmost priority at 1Password. A fix for AutoSpill has been identified and is currently being worked on. 

While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action.

The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.

Even if this vulnerability no longer plagues more recent versions of Android or the apps in question, it’s yet another reminder to be diligent about mobile security.