Android Security Failure: AutoSpill Flaw Threatens Password Manager Users

Ankit Gangwal, reveals AutoSpill vulnerability. (photo: x @ISMG_News)

JAKARTA - A number of popular password managers for mobile devices can unwittingly reveal user credentials due to vulnerabilities in the autofill functionality of Android applications.

This vulnerability, named "AutoSpill," could expose login information stored by mobile password managers by circumventing Android's secure autofill mechanism. Researchers from IIIT Hyderabad discovered this vulnerability and presented their research at Black Hat Europe this week.

The researchers, Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, found that when an Android app loads a login page in WebView, password managers can "get lost" about where they should target users' login information and instead reveal their credentials in the app's native fields. which underlies it.

This happens because WebView, Google's pre-installed engine, allows developers to display web content within an application without opening a web browser, and an autofill request is generated.

“For example, when you try to log into your favorite music app on your mobile device and use the 'sign in via Google or Facebook.' Music apps will open Google or Facebook login pages within them via WebView,” Gangwal explained to TechCrunch ahead of his presentation at Black Hat on  Wednesday, December 6.

“When the password manager is enabled to autofill credentials, it should populate only to Google or Facebook pages that have already been loaded. However, we found that the autofill operation could inadvertently reveal credentials to the underlying application,” Gangwal said.

Gangwal noted that the consequences of this vulnerability, especially in scenarios where the underlying application is malicious, are significant. “Even without phishing, any malicious app that asks you to log in through another site, such as Google or Facebook, can automatically access sensitive information,” explains Gangwal.

Researchers tested the AutoSpill vulnerability using some of the most popular password managers, including 1Password, LastPass, Keeper, and Enpass, on new and recent Android devices. They found that most applications were vulnerable to credential leaks, even when JavaScript injection was disabled. When JavaScript injection is enabled, all password managers are vulnerable to the AutoSpill vulnerability.

Gangwal said that he has notified Google and affected password managers about this vulnerability.

Pedro Canahuati, Chief Technology Officer of 1Password, said that the company has identified and is working to fix AutoSpill. “While these improvements will further strengthen our security posture, 1Password's autofill functionality has been designed to require explicit user action,” Canahuati said. "This update will provide additional protection by preventing native fields from being filled in with credentials intended only for the Android WebView."

Craig Lurey, CTO of Keeper, said the company had been notified of the potential vulnerability, but did not say whether it had made a fix. "We requested a video from the researcher to demonstrate the reported issue. Based on our analysis, we determined that the researcher first installed a malicious application and then received a prompt from Keeper to force the association of the malicious application with the Keeper password record," Lurey said.

Google and Enpass did not respond to TechCrunch's questions. Alex Cox, director of LastPass' threat intelligence, mitigation and escalation team, said that before learning of the researchers' findings, LastPass already had mitigations in place through pop-up alerts in the product when the app detected an attempt to exploit an exploit. "After analyzing these findings, we added a more informative explanation to the pop-up," Cox said.

Gangwal said that researchers are now exploring the possibility that an attacker could extract credentials from the application to WebView. The team is also investigating whether this vulnerability can be replicated on iOS.