Your favorite password manager could be exposing your credentials

Why it matters: The use of password managers has accelerated in recent years, and while that's a good way to protect your security online, it's by no means a perfect solution. New research has revealed that a simple Android vulnerability can potentially expose your credentials to malicious apps, especially in scenarios where a web page is loaded inside an app and is asking for you to log in to view its content.

Several widely used mobile password managers are inadvertently leaking credentials from Android devices due to a newly discovered vulnerability in the WebView autofill mechanism used by many Android apps.

Researchers at the Indian Institute of Technology in Hyderabad who discovered the flaw call it "AutoSpill," which is a fitting name as it automatically exposes credentials from mobile password managers and circumvents the security measures for the autofill functionality in Android.

Anti Gangwal and his students Abhijeet Srivastava and Shubham Singh published their findings in a paper and presented them at the ongoing Black Hat Europe conference in London. Gangwal explains that password managers can get "disoriented" when having to autofill credentials inside apps that load web pages using Google's WebView engine.

A common example would be apps that allow logging in through your Facebook or Google account to make the signup process faster and more convenient. When the password manager is prompted to fill in the credentials, the expected behavior is that it'll autofill them in the right fields of the WebView interface. However, it will sometimes expose your credentials to the base app instead.

While it may not seem like a huge deal, there's a significant risk that malicious apps masquerading as legitimate entertainment or utility apps could grab the credentials of unsuspecting Android users and use them to access sensitive information. Google regularly removes such apps from Google Play, but often after they've already been downloaded by hundreds of thousands of users.

The researchers tested several popular mobile password managers such as LastPass, 1Password, Enpass, and Keeper using Android devices running the latest security updates. What they found was that almost all of the apps were vulnerable to credential leakage despite disabling JavaScript injection. Upon enabling JavaScript injection, all of the tested mobile password managers became susceptible to AutoSpill.

These findings are particularly concerning when you consider that password managers have seen significant user growth in recent years. In the US, an estimated 34 percent use password managers this year, up from 21 percent in 2022. The AutoSpill vulnerability requires no phishing or tricking the user, which makes it easy for a malicious actor to exploit.

Related reading: The best password managers

The good news is that Gangwal believes there's little evidence of AutoSpill being exploited in the wild. However, when he contacted the developers of the tested password managers, one failed to respond despite numerous attempts while most other companies simply deferred the problem to Google.

As for Google, the company marked the AutoSpill bug as a Priority 2 and Severity 2 and is currently working on a fix. 1Password is the only company that told Gangwal it would find a fix of its own for AutoSpill.

There are ways for password managers to mitigate the risk of credentials leakage by associating a web domain with the input fields to create a more secure coupling, but Gangwal ultimately believes the best solution would be to scrap passwords altogether and push for the use of passkeys for passwordless authentication.

Masthead credit: Mika Baumeister