Vulns in Android WebView, Password Managers Can Leak User Credentials

BLACK HAT EUROPE – London – Researchers demonstrated how the most widely used password managers can leak credentials from Android devices when using the mobile operating system's WebView autofill capability with malicious apps.

At this week's Black Hat Europe conference, Ankit Gangwal of the International Institute of Information Technology (IIIT) showed how mobile apps using WebView controls can leak credentials from many password managers.

Gangwal and his students, Shubham Singh and Abhijeet Srivastava, revealed the credential-leaking vulnerability they call "AutoSpill" in a paper they presented in April at the ACM Conference on Data and Application Security and Privacy (CODASPY). The technical paper, which won top honors at the CODASPY event, detailed how AutoSpill can unwittingly leak the Android-based WebView autofill function in mobile password managers.

The finding comes as the use of password managers has accelerated. In the US, 34% use password managers, up from 21% in 2022, according to Security.org's annual "Password Manager Industry Report and Market Outlook."

Gangwal explains that he and the students discovered the top 10 password managers are prone to AutoSpill, where an app can expose username and password credentials when invoking WebView. According to Gangwal, it's a problem when a user unintentionally loads a malicious app.

Credential Theft: "No Phishing Required"

"If it is a malicious application, it will receive the credentials for free," Gangwal says. "No phishing required, no tricking needed, nothing is required. The worst part is that such applications can stay in the official stores [i.e., Google Play], where they can be distributed to a larger user base, which makes this problem even more serious, in my opinion."

Gangwal says he is not aware of anyone who has exploited AutoSpill. "I hope nobody has exploited it," he says. "The moment we discovered this thing, we documented everything. We have shared it with the affected password managers and the Google team." After publishing the paper, Gangwal emailed the paper to all the password manager providers. One, who Gangwal didn't identify, failed to respond despite numerous contact attempts. Many of those who did respond deferred the problem to Google.

"They said this is not our responsibility, this is a problem with Android," Gangwal recalls. "We try to argue with them again and again. We invested a lot of time in communication and explained the problem to them. Everything they just outright denied."

One who did respond was 1Password, which Gangwal says promised to fix the problem.

In a brief response to an inquiry from Dark Reading, 1Password CTO Pedro Canahuati confirms that a fix is in the works.  “While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action,” Canahuati says. “The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView.”

Meanwhile, Gangwal says Google has assigned the AutoSpill vulnerability Priority 2 and Severity 2 ranking through its bug hunting community program. While investigation progress in the bug hunting program is not made public, Gangwal says, “They have responded multiple times that they are trying to fix it.”

When contacted for comment, a Google spokesperson provided Dark Reading with the following response:

“WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps," he says. "This issue is related to how password managers leverage the autofill APIs when interacting with WebView. We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement."

He adds, "Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app. For example, when using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field. Google implements server side protections for logins via WebView.”

Potential Remedies 

Password managers can mitigate the risk by associating a web domain with the input field that includes a username and password, Gangwal notes. "This way, they can develop a more secure coupling."

Gangwal believes the ultimate remedy is eliminating passwords altogether with passkeys, digital credentials that enable passwordless authentication using private cryptographic keys based on the FIDO Alliance spec that implements the World Wide Web Consortium's (W3C) WebAuthn standard.

"I think passkeys will solve this entire problem because they are signature-based, and you need to explicitly give permission to each application that can access the passkey," he says. "However, being a researcher, let's see what happens because what we are studying right now is half-baked. But we believe we are going to see promising results."