If you’re an Android user, think twice before using a password manager to autofill your credentials, as a study found that doing so in WebView can leak your data.
Considering how many passwords the average user has at their disposal, a password manager is an undeniably helpful tool that is supposed to help you keep track of your many credentials while securing you from potential online threats.
Unfortunately, no online tool is perfect, and this new vulnerability could have dire consequences for password manager users on Android devices.
Password Managers on Android Devices Leak Data in WebView
At the Black Hat Europe conference in London this week, researchers made a presentation that showed a significant security vulnerability for Android users. Cleverly dubbed AutoSpill by the researchers, the vulnerability occurs when you use autofill to input your login credentials in the WebView mode of your device.
Fortunately, with your typical selection of apps, there isn’t much of a problem, as the providers of legitimate services have no need for your leaked credentials. However, if you’ve downloaded a malicious app onto your device, the ease with which they gain access to your password and other data is quite troubling.
🔎 Want to browse the web privately? 🌎 Or appear as if you're in another country?
Get a huge 86% off Surfshark with this special tech.co offer.
“If it is a malicious application, it will receive the credentials for free. No phishing required, no tricking needed, nothing is required.” – Ankit Gangwal of the International Institute of Information Technology (IIIT)
Fortunately, Gangwal made password manager providers and Google aware of the uniquely Android problem and according to Gangwal, “they are trying to fix it.”
Password Manager Use on the Rise
The average user does not follow password best practices, with large percentages admitting to using the same password for multiple accounts and easy-to-guess words and phrases still topping most popular password lists.
Subsequently, password managers were designed to solve the problem, providing a secure means of logging into multiple accounts without having lax security measures protecting them. In fact, password manager usage has been on the rise, increasing 13% from 2022 to 2023.
Unfortunately, with these kinds of massive vulnerabilities, confidence in password managers could dwindle, with the average user opting for the tried-and-true sticky note method over a password manager.
How to Avoid This Vulnerability
The best way to avoid this vulnerability is to avoid using a password manager to autofill your credentials when using the WebView mode on your Android device. Still, this isn’t exactly a long-term solution, which is why the researchers suggested a more practical option.
“I think passkeys will solve this entire problem because they are signature-based, and you need to explicitly give permission to each application that can access the passkey.” – Ankit Gangwal
The passkey vs password debate continues to rage on, but luckily, the majority of providers are starting to see the value of this new means of security. The question is: when will passkeys become the standard over passwords?
