Your login information may be exposed by your mobile password manager.
Due to a flaw in the autofill feature of Android apps, several well-known mobile password managers are unintentionally disclosing user passwords.
University researchers at the IIIT Hyderabad have discovered a vulnerability they have dubbed "AutoSpill," which can expose users' saved credentials from mobile password managers by evading Android's secure autofill mechanism. This research was presented this week at Black Hat Europe.
Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, the researchers, discovered that password managers can become "disoriented" about where to target the user's login information when an Android app loads a login page in WebView, exposing their credentials to the underlying app's native fields instead. The reason for this is WebView. the Google Chrome engine, which generates an autofill request and enables developers to show online content in-app without opening a web browser.
Imagine using the "login via Google or Facebook" option when attempting to access your preferred music app on a mobile device. Gangwal told TechCrunch that the music app would use WebView to open a Google or Facebook login page inside of it before their Black Hat presentation on Wednesday.
"Ideally, the password manager should only autofill into the loaded Google or Facebook page when the autofill feature is activated. However, we discovered that the autofill feature can inadvertently reveal the login credentials to the main application.
Gangwal observes that the consequences of this vulnerabilities are substantial, especially if the base app is malevolent. "Any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information," he continued, even in the absence of phishing.
Using some of the most widely used password managers, such as 1Password, LastPass, Keeper, and Enpass, the researchers tested the AutoSpill vulnerability on brand-new, modern Android smartphones. Even with JavaScript injection turned off, they discovered that the majority of apps were susceptible to credential leaks. All of the password managers were vulnerable to their AutoSpill vulnerability when JavaScript injection was enabled.
Gangwal claims to have reported the vulnerability to Google and the impacted password managers.
When contacted before to publication, Google declined to comment; however, it subsequently informed TechCrunch that the firm advises Google spokesperson Ed Fernandez advised third-party password managers to "be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement."
"Android gives password managers the necessary context to determine if a WebView is being loaded in relation to the hosting app or not, as well as to differentiate between native views and WebViews. Users are alerted, for instance, if they submit a password for a domain that Google assesses may not be held by the hosting app while using Google Password Manager for autofill on Android; the password is only entered in the correct area. A Google representative stated, "Google uses server-side safeguards for WebView logins.
Pedro Canahuati, chief technical officer of 1Password informed TechCrunch that AutoSpill has been found and a patch is being developed by the business. Canahuati stated, "1Password's autofill function has been designed to require the user to take explicit action, even though the fix will further strengthen our security posture." "By preventing credentials meant exclusively for Android's WebView from being entered into native fields, the update will add an extra layer of security."
In comments provided to TechCrunch, Keeper CTO Craig Lurey stated that the firm was informed of a possible vulnerability, but he did not specify whether any remedies had been implemented. "We asked the researcher to provide a video that would illustrate the issue that was identified. Our investigation revealed that the researcher had initially installed a malicious program before responding to Keeper's request to compel the rogue application's connection to a Keeper password record," stated Lurey.
Keeper suggested that the researcher submit his report to Google because it "relates specifically to the Android platform" and stated that there are "safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user."
Enpass did not reply to inquiries from TechCrunch. According to TechCrunch, Alex Cox, the director of LastPass's threat intelligence, mitigation, and escalation team, the company had already implemented a mitigation measure—an in-product pop-up warning—when it identified an attempt to use the exploit before being informed of the researchers' findings. "We updated the pop-up with more informative wording after analyzing the findings stated Cox.
TechCrunch is informed by Gangwal that the researchers are currently investigating the prospect of an attacker obtaining credentials from the app and using them to access WebView. The group is also looking into the possibility of reproducing the vulnerability on iOS.
Join our whatsapp chanele
0 Comments