December 6, 2023 at 03:51PM
Researchers uncovered a vulnerability, called “AutoSpill,” in popular Android password managers that could allow malicious apps to steal credentials through WebView’s autofill feature. Despite raising awareness and contacting affected parties, some password managers and Google have yet to effectively address the issue. The researchers suggest that passkeys could ultimately resolve such security flaws.
Meeting Takeaways:
1. Researchers at Black Hat Europe in London exhibited a vulnerability in widely used password managers on Android devices, called “AutoSpill”. This vulnerability occurs when WebView autofill is exploited by malicious apps.
2. Ankit Gangwal, along with students Shubham Singh and Abhijeet Srivastava, exposed the credential-leaking issue through a paper presented at ACM’s CODASPY conference, which won an award.
3. The vulnerability affects the top 10 password managers, potentially allowing malicious apps to obtain user credentials without the need for phishing or user deception.
4. Gangwal has communicated the findings and the paper to affected password manager companies and the Google team. Most companies pointed to Android as the root of the issue, while 1Password has committed to fixing the problem.
5. Google has labeled the AutoSpill bug Priority 2 and Severity 2 and is reportedly working on a fix through its bug hunting community program.
6. Password managers can reduce risk by matching web domains to input fields for usernames and passwords, creating a more secure connection.
7. Long-term, Gangwal suggests passkeys – passwordless authentication that uses cryptographic keys based on FIDO Alliance and W3C’s WebAuthn standards – may resolve such vulnerabilities, though this solution is yet to be fully realized and tested.