Your favorite password manager could be exposing your credentials

nanoguy

Posts: 1,355   +27
Staff member
Why it matters: The use of password managers has accelerated in recent years, and while that's a good way to protect your security online, it's by no means a perfect solution. New research has revealed that a simple Android vulnerability can potentially expose your credentials to malicious apps, especially in scenarios where a web page is loaded inside an app and is asking for you to log in to view its content.

Several widely used mobile password managers are inadvertently leaking credentials from Android devices due to a newly discovered vulnerability in the WebView autofill mechanism used by many Android apps.

Researchers at the Indian Institute of Technology in Hyderabad who discovered the flaw call it "AutoSpill," which is a fitting name as it automatically exposes credentials from mobile password managers and circumvents the security measures for the autofill functionality in Android.

Anti Gangwal and his students Abhijeet Srivastava and Shubham Singh published their findings in a paper and presented them at the ongoing Black Hat Europe conference in London. Gangwal explains that password managers can get "disoriented" when having to autofill credentials inside apps that load web pages using Google's WebView engine.

A common example would be apps that allow logging in through your Facebook or Google account to make the signup process faster and more convenient. When the password manager is prompted to fill in the credentials, the expected behavior is that it'll autofill them in the right fields of the WebView interface. However, it will sometimes expose your credentials to the base app instead.

While it may not seem like a huge deal, there's a significant risk that malicious apps masquerading as legitimate entertainment or utility apps could grab the credentials of unsuspecting Android users and use them to access sensitive information. Google regularly removes such apps from Google Play, but often after they've already been downloaded by hundreds of thousands of users.

The researchers tested several popular mobile password managers such as LastPass, 1Password, Enpass, and Keeper using Android devices running the latest security updates. What they found was that almost all of the apps were vulnerable to credential leakage despite disabling JavaScript injection. Upon enabling JavaScript injection, all of the tested mobile password managers became susceptible to AutoSpill.

These findings are particularly concerning when you consider that password managers have seen significant user growth in recent years. In the US, an estimated 34 percent use password managers this year, up from 21 percent in 2022. The AutoSpill vulnerability requires no phishing or tricking the user, which makes it easy for a malicious actor to exploit.

Related reading: The best password managers

The good news is that Gangwal believes there's little evidence of AutoSpill being exploited in the wild. However, when he contacted the developers of the tested password managers, one failed to respond despite numerous attempts while most other companies simply deferred the problem to Google.

As for Google, the company marked the AutoSpill bug as a Priority 2 and Severity 2 and is currently working on a fix. 1Password is the only company that told Gangwal it would find a fix of its own for AutoSpill.

There are ways for password managers to mitigate the risk of credentials leakage by associating a web domain with the input fields to create a more secure coupling, but Gangwal ultimately believes the best solution would be to scrap passwords altogether and push for the use of passkeys for passwordless authentication.

Masthead credit: Mika Baumeister

Permalink to story.

 
A long, easy to remember but makes no sense password, is the best solution.

Something like $ad.Blond.Goose.Is.Barfing.In.Orbit+TechSpot, will take a computer 10000+ centuries to crack (go ahead and test it at kaspersky or whoever ).

This could be used with almost any website, as long you add the website you're trying to log into after the + sign. This way, the main password changes slightly by adding the website at the end.
 
Last edited:
The best "password manager" anyone can use is their own brain. Train your brain to remember passwords and you'll never forget them.

The purpose of a password manager isn't to be more convenient than memorization, it's the ability to use actually meaningfully secure passwords to access sites, a unique one for each, that no human could possibly do via memorization. People who use simple, easy to remember passwords are the ones who re-use them constantly, and wind-up being another statistic after an exploit.
 
One could use a long, easy to remember but makes no sense password, is the best solution.

Something like $ad.Blond.Goose.Is.Barfing.In.Orbit+TechSpot, will take a computer 10000+ centuries to crack (go ahead and test it at kaspersky or whoever ).

This could be used with almost any website, as long you add the website you're trying to log into after the + sign. This way, the main password changes slightly by adding the website at the end.

And after the next exploit of some huge site, it would be pretty trivial to figure out that 'technique' and then jump around exploiting all the other sites using the first part and appending +wellfargo, etc.
 
And after the next exploit of some huge site, it would be pretty trivial to figure out that 'technique' and then jump around exploiting all the other sites using the first part and appending +wellfargo, etc.

What exploit??

You're forgetting the most important part: This password is not stored ANYWHERE except the user's brain!! Unlike those top password managers that get hacked occasionally!
 
What exploit??

You're forgetting the most important part: This password is not stored ANYWHERE except the user's brain!! Unlike those top password managers that get hacked occasionally!

You don't think that the sites you visit 'store' your password? How do you think they authenticate you?


All it takes is one sh1tty company that doesn't employ security best-practices, and your super-duper password becomes public knowledge.
 
As an aside, it's best not to use something like Kaspersky or any other website's password checker. Yes, the checker runs locally in your browser, so it's not sending anything over the internet. But for absolute security, 'install' zxcvbn, which ensures that even the code itself never touches the internet.

 
As an aside, it's best not to use something like Kaspersky or any other website's password checker. Yes, the checker runs locally in your browser, so it's not sending anything over the internet. But for absolute security, 'install' zxcvbn, which ensures that even the code itself never touches the internet.


One must be really crazy to use their real password on any password testing website!! But I bet those who use 123456 do that.....:)
 
One must be really crazy to use their real password on any password testing website!! But I bet those who use 123456 do that.....:)

Not very clear on the concept of locally running javascript code that doesn't send anything over the net, or the lan, for that matter.

Good to know.
 
You do realize this is a general audience forum? One writes for the audience. I'm a semi-retired DevOps engineer. I have layers upon layers of security in use, none of which the average reader would have or even know of. The average reader isn't going to memorize magical sequences, not with any level of reasonable security to them. The average reader doesn't even use a password manager.
The first step is to use a password manager, that's the first and most important hurdle for the vast majority of people. Just taking that affirmative step ramps their security up by orders of magnitude.



But hey, ignore away, svengali.
 
In my view, it is easier to manage passwords by memory when I use keystroke patterns, rather than a string of nonsensical letters and character. I have developed my own formula for creating keystroke patterns for every online/offline account and app that I have that requires a password. I only have to remember one formula (with minor variations in some cases). The formula may change from one account to another, based on the spelling of the domain name, app name or wherever it is that I'm logging in. A simple, easy to use keystroke pattern that includes upper/lower case letters, numbers and special characters... all the elements of a strong password. The pattern is 12 keystrokes, in all but a few cases where it may have an extra character. No little red book, no password vault app, nothing but a simple keystroke pattern formula that provides a strong password and applies everywhere I have to enter a password. No dictionary attack would ever hack it. A brute force attack would take 4 centuries or more. Good enough for me.
 
In my view, it is easier to manage passwords by memory when I use keystroke patterns, rather than a string of nonsensical letters and character. I have developed my own formula for creating keystroke patterns for every online/offline account and app that I have that requires a password. I only have to remember one formula (with minor variations in some cases). The formula may change from one account to another, based on the spelling of the domain name, app name or wherever it is that I'm logging in. A simple, easy to use keystroke pattern that includes upper/lower case letters, numbers and special characters... all the elements of a strong password. The pattern is 12 keystrokes, in all but a few cases where it may have an extra character. No little red book, no password vault app, nothing but a simple keystroke pattern formula that provides a strong password and applies everywhere I have to enter a password. No dictionary attack would ever hack it. A brute force attack would take 4 centuries or more. Good enough for me.

Seems a lot more complicated and less convenient than just using a password manager, but to each his own.
 
The purpose of a password manager isn't to be more convenient than memorization, it's the ability to use actually meaningfully secure passwords to access sites, a unique one for each, that no human could possibly do via memorization. People who use simple, easy to remember passwords are the ones who re-use them constantly, and wind-up being another statistic after an exploit.
And all of that can be done with the human mind and/or a physical notebook. Password managers are superfluous.
 
And all of that can be done with the human mind and/or a physical notebook. Password managers are superfluous.
Totally true. And you can also dig a trench with a shovel rather than using a backhoe, or take the stairs to the 160th floor of the Burj Khalifa rather than the elevator.

If you enjoy hand-crafting 64 character fully randomized passwords, writing them in your little notebook along with the url of each site, then hand-typing them in each time you visit a website, by all mean, go for it. You're free to waste your time and effort as much as you want.

I, and most other people, would rather do more productive things with our time.
 
Totally true. And you can also dig a trench with a shovel rather than using a backhoe, or take the stairs to the 160th floor of the Burj Khalifa rather than the elevator.
That analogy is without logic or merit.

If you enjoy hand-crafting 64 character fully randomized passwords
No one NEEDS that kind of password. Properly crafted, a password only needs to be between 16 and 24 characters long to be unbreakable. Your ignorance to that fact don't make it any less factual.

You're free to waste your time and effort as much as you want.

I, and most other people, would rather do more productive things with our time.
Practice make perfect. Using your brain to memorize information ALWAYS makes you better at memorization and by virtue of attrition, faster. If you lack the patience to LEARN, or perhaps lack that capability, then yes, maybe people like yourself need a password manager. For the rest of us, proactively investing time in ourselves to improve ourselves will always be the better course of action.
 
That analogy is without logic or merit.
I'm sorry you weren't able to understand it. It's called 'using the best tool or path for the task at hand'.

No one NEEDS that kind of password.

Today, perhaps. Tomorrow? Maybe. Please, elucidate - is there any HARM in employing a 64 char password? I know the answer, as do you.

Properly crafted, a password only needs to be between 16 and 24 characters long to be unbreakable. Your ignorance to that fact don't make it any less factual.

You certainly have an enormous ego, that much is quite evident. Which is it, friend? Are sixteen characters unbreakable, or 24? If sixteen characters is "unbreakable", then why bother with 24? What you've just demonstrated is that your claims are....fluid depending on what argument you pretend to have expertise in.

Practice make perfect. Using your brain to memorize information ALWAYS makes you better at memorization and by virtue of attrition, faster.

Well that's odd. You said you used a notebook. Why do you need a notebook if you have them memorized?

If you lack the patience to LEARN, or perhaps lack that capability, then yes, maybe people like yourself need a password manager. For the rest of us, proactively investing time in ourselves to improve ourselves will always be the better course of action.

Blah blah blah. There is nothing "learned" by memorizing random strings of characters. It's really as simple as that. Your faux pedantry isn't convincing anyone.

Here's an easy question: What HARM does using a password manager cause?

You also know the answer to that as well. Hope you don't have a house fire and lose your notebook. Hope you don't get conked on the head in an accident, and forget most or all of your precious passwords.

I have only my master password to keep memorized. And I have it engraved on a stainless steel plate in a safe.

Smart people take the path of least resistance, instead of puffing themselves up about memorizing useless strings of characters for no good reason, since there's a better way to do it. Ever heard the phrase 'work smarter, not harder'. You're advocating the latter.

If you enjoy memorizing hundreds of sixteen digit random strings, and typing them in every time by hand, then you do you, by all means. The average person has better things to expend their effort on.
 
Back