Inadvertent credential leakage from mobile password managers discovered

TechCrunch reports that Android apps' autofill functionality has been impacted by a flaw that could result in the accidental exposure of credentials saved in mobile password managers, including 1Password, Keeper, LastPass, and Enpass. Such a vulnerability called "AutoSpill" stems from the confusion of password managers in targeting user login data upon login page loading of apps in WebView, according to a study by IIIT Hyderabad researchers presented at the Black Hat Europe conference. "Even without phishing, any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information," said researcher Ankit Gangwal. Google and the affected password managers have already been notified regarding the AutoSpill bug, with 1Password already committing to fixing the vulnerability. "While the fix will further strengthen our security posture, 1Password's autofill function has been designed to require the user to take explicit action. The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android's WebView," said 1Password Chief Technology Officer Pedro Canahuati.