Top mobile password managers could be exposing user details

Password Security
Bästa tjänsterna för lösenordshantering (Image credit: Shutterstock)

Some of the most popular mobile password managers on Android have a serious security flaw that could cause the worst problem possible for users - leaking their credentials. 

Known as "Autospill," the vulnerability involves a bug in the autofill function on Android devices.

It was discovered by researchers at the International Institute of Information Technology (IIIT) Hyperabad, who presented their findings at the recent Black Hat Europe conference.

Autospill security risk

The problem arises when an app login page is loaded in WebView, which is Google's engine for letting developers display web content inside an app without going into a browser. This confuses the password manager about where to autofill the password, and instead it can mistakenly "expose the credentials to the base app," Ankit Gangwal, one of the researchers involved, told TechCrunch.  

What it should do is autofill a user's credentials in the WebView login page that appears in the app. Gangwal cautions that this poses a significant threat in the case of malicious apps, as they could exploit the flaw to gain a user's credentials automatically, without the need to run phishing campaigns. 

The password managers that the researchers claim to have tested the flaw on include 1Password, LastPass, Keeper, and Enpass - some of the most popular and best password managers around. They also said that the Android devices they used were new and up-to-date.

Apparently, most of the aforementioned apps were vulnerable to Autospill, even when JavaScript injection was disabled. When enabled, however, all of them were susceptible to the flaw.

Google and the relevant password managers have been notified of the flaw. 1Password told TechCrunch that it will be working to fix the flaw, while Keeper asked for a video demonstration of the flaw in action. 

After seeing it, Keeper CTO Craig Lurey believed that, "the researcher had first installed a malicious application and subsequently, accepted a prompt by Keeper to force the association of the malicious application to a Keeper password record."

Lurey further defended the security posture of Keeper by saying it has, "safeguards in place to protect users against automatically filling credentials into an untrusted application." He also advised the researchers share their findings with Google, as the problem relates to the Android platform specifically.

LastPass told TechCrunch that it already had a pop-up warning in place to alert users of potential autofilling dangers, but in light of the research said it will now add "more informative wording" to the notification.

The researchers said they will be testing the flaw on iOS devices too.

Update 12/8: Since the publication of this article, A Google spokesperson reached out to TechRadar Pro to explain that the flaw, "is related to how password managers leverage the autofill APIs when interacting with WebViews. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app."

MORE FROM TECHRADAR PRO

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
Young woman working at a coffee shop with a laptop
Too many passwords, not enough brain space? Here’s how password managers can improve your life
A hand laying out a password
Security attacks on password managers have soared
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
Google Pixel 9 Pro
Google Password Manager may be set to introduce a nuclear option for its Android app
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
LastPass 2022 hack fallout continues with millions of dollars more reportedly stolen
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough