BLACK HAT EUROPE – London – Researchers demonstrated how the most widely used password managers can leak credentials from Android devices when using the mobile operating system’s WebView autofill capability with malicious apps.

At this week’s Black Hat Europe conference, Ankit Gangwal of the International Institute of Information Technology (IIIT) showed how mobile apps using WebView controls can leak credentials from many password managers.

Gangwal and his students, Shubham Singh and Abhijeet Srivastava, revealed the credential-leaking vulnerability they call “AutoSpill” in a paper they presented in April at the ACM Conference on Data and Application Security and Privacy (CODASPY). The technical paper, which won top honors at the CODASPY event, detailed how AutoSpill can unwittingly leak the Android-based WebView autofill function in mobile password managers.

The finding comes as the use of password managers has accelerated. In the US, 34% use password managers, up from 21% in 2022, according to Security.org’s annual “Password Manager Industry Report and Market Outlook.”

Gangwal explains that he and the students discovered the top 10 password managers are prone to AutoSpill, where an app can expose username and password credentials when invoking WebView. According to Gangwal, it’s a problem when a user unintentionally loads a malicious app.

Credential Theft: “No Phishing Required”

“If it is a malicious application, it will receive the credentials for free,” Gangwal says. “No phishing required, no tricking needed, nothing is required. The worst part is that such applications can stay in the official stores [i.e., Google Play], where they can be distributed to a larger user base, which makes this problem even more serious, in my opinion.”

Gangwal says he is not aware of anyone who has exploited AutoSpill. “I hope nobody has exploited it,” he says. “The moment we discovered this thing, we documented everything. We have shared it with the affected password managers and the Google team.” After publishing the paper, Gangwal emailed the paper to all the password manager providers. One, who Gangwal didn’t identify, failed to respond despite numerous contact attempts. Many of those who did respond deferred the problem to Google.

“They said this is not our responsibility, this is a problem with Android,” Gangwal recalls. “We try to argue with them again and again. We invested a lot of time in communication and explained the problem to them. Everything they just outright denied.”

One who did respond was 1Password. “They promised to fix the problem,” Gangwal says. In a brief response to an inquiry from Dark Reading, 1Password product manager Nick Steele said, “Prof. Ankit and his team were nice enough to report their findings to our team a couple of weeks ago; we’ll have a response for you soon.”

Gangwal says Google has assigned the AutoSpill vulnerability Priority 2 and Severity 2 ranking through its bug hunting community program. While investigation progress in the bug hunting program is not made public, Gangwal says, “They have responded multiple times that they are trying to fix it.”

Potential Remedies 

Password managers can mitigate the risk by associating a web domain with the input field that includes a username and password, Gangwal notes. “This way, they can develop a more secure coupling.”

Gangwal believes the ultimate remedy is eliminating passwords altogether with passkeys, digital credentials that enable passwordless authentication using private cryptographic keys based on the FIDO Alliance spec that implements the World Wide Web Consortium’s (W3C) WebAuthn standard.

“I think passkeys will solve this entire problem because they are signature-based, and you need to explicitly give permission to each application that can access the passkey,” he says. “However, being a researcher, let’s see what happens because what we are studying right now is half-baked. But we believe we are going to see promising results.”

• SEO Powered Content & PR Distribution. Get Amplified Today.
• PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
• PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
• PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
• PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
• Source: https://www.darkreading.com/cyberattacks-data-breaches/android-vulnerability-leaks-credentials-from-password-managers-