Several mobile password managers are leaking user credentials due to a vulnerability discovered in the autofill feature of Android apps.
This flaw, called AutoSpill, was reported by a team of researchers from the International Institute of Information Technology Hyderabad during the Black Hat Europe 2023 conference held last week.
This vulnerability occurs when Android calls a login page via WebView. (WebView is an Android component that allows you to display web content without opening a web browser). In this case, WebView allows Android applications to display the content of the web page in question.
One thing to keep in mind is that the researchers tested on hardware
So far, so good. But when a password manager is added to the mix, credentials shared with WebView may also be shared with the application that originally requested the username and password. If the original application is reliable, everything should be fine. But if this app is unreliable, things could go very wrong.
The affected password managers are:
- 1Password
- LastPass
- Pass
- Keeper
- Keepass2Android
Additionally, if the credentials were shared via a JavaScript injection method, DashLane and Google Smart Lock are also affected by vulnerability.
Due to the nature of this vulnerability, there is no need for phishing or malicious code in the application.
One thing to keep in mind is that the researchers tested this on very common hardware and software.
Specifically, they tested the vulnerability on these three devices:
- Poco F1
- Samsung Galaxy Tab S6 Lite
- Samsung Galaxy A52.
The Android versions used in their tests were Android 0 (with the December 2020 security patch), Android 11 (with the January 2022 security patch), and Android 12 (with the April 2022 security patch).
As these devices tested – as well as the operating system and security patches – were not up to date, it is difficult to know for sure whether the vulnerability would affect newer versions of Android.
However, even if you use a different device than the one the group tested, that doesn’t mean you should ignore this vulnerability. Rather, it should serve as a reminder that your Android operating system and installed apps are always up to date. The WebView system has always been under scrutiny and updates to this software should always be kept current. For this, you can open the Google Play Store on your device, search for WebView, tap About this app and compare the latest version with the version installed on your device.
If not, you will need to update.
One of the best ways to keep Android secure is to make sure it’s always as up to date as possible. Check for operating system and application updates daily and apply any available ones.
Source: “ZDNet.com”