A team of researchers has just revealed a technique for stealing credentials via a flaw affecting the main password managers running on Android systems. Not very reassuring…
Password managers are very practical tools whose use has become widespread among the general public, whether on computers or smartphones. These utilities greatly improve our security in the digital space, allowing us to manage a large number of passwords, both strong and unique, for each of the many online services that we all use every day. However, like any software, password managers are not free from security flaws and vulnerabilities are regularly discovered, such as during the Black Hat 2023a series of conferences dedicated to cybersecurity, which took place from December 4 to 7, 2023 in London.
AutoSpill: a technique to exploit the password manager flaw
During the event, a team of Indian researchers from the International Institute of Information Technology in Hyderabad revealed that it has developed a technique to steal credentials from many password managers for Android. Baptized AutoSpill, the technique is based on a data leak identified between two software components widely used on Android. On the one hand, the ability offered by the system to automatically fill in connection forms, whether in the web browser or directly in applications. On the other hand, the possibility for applications to directly display web content within them, such as a connection form, without opening the smartphone’s Internet browser, thanks to a component called WebView.
These two capabilities prove particularly practical on a daily basis, allowing you to quickly fill in your identification data on different applications, without having to manually juggle the password manager and the Internet browser. However, it is precisely between the component WebView and the login form that researchers detected a data leak, allowing an application to recover user credentials. The research team published a very clear and educational presentation, explaining the mechanisms behind this flaw and the method to exploit it. This vulnerability seems all the more worrying to them because, unlike others, its exploitation does not necessarily require the execution of JavaScript code to function, which makes it particularly difficult to detect within applications downloadable from the PlayStore.
AutoSpill: 7 popular password managers are affected
The researchers tested their technique AutoSpill on seven of the most popular and widely used password managers on Android. Testing revealed that five of them, namely 1Password, LastPass, Enpass, Keepass2Android and Keeper, were vulnerable to the technique AutoSpill, without JavaScript code injection, and could thus leak the username and password during autofill. The Google Smart Lock and Dashlane solutions did not seem sensitive to this version of the attack. On the other hand, the seven managers showed themselves to be vulnerable to AutoSpill in case of JavaScript code injection.
Of course, the team of researchers shared its findings with the publishers of the various password managers concerned, and sent them a series of recommendations to correct the functioning of their products, and thus avoid the leaking of identifiers when using autofill. According to information from Bleeping Computerthe developers of the affected software should soon release security patches to address this vulnerability.
While we wait for these fixes, there seems to be no reason to panic and give up using the identified password managers. Indeed, there is currently no evidence to confirm that this security flaw would be actively exploited by malicious actors, and the benefits of using a password manager, in terms of personal IT security , always remain far greater than the risks incurred. As always, stay vigilant about the applications you install on your phone and make any updates offered by your system as soon as they become available.