Password managers using Android Oreo Autofill APIs are potentially vulnerable

API support for auto-complete passwords is one of the most popular features of Android 8.0 Oreo : Many third-party applications, such as LastPass, have already integrated Autofill APIs inside them.

The update, although it is a step forward compared to the previous implementation of the automated completion that used Accessibility Services, presents security issues . A white paper published on GitHub by Mark Murphy (CommonsWare), in fact, shows a flaw in the system that, if exploited, could allow the password management application to gather far more data than the ones for which the user gave the consent.

With the new system introduced with Android O, a malicious person might enter the application that requires personal data entry and Autofill application to get unanticipated sensitive data by inserting an invisible text field , completed without that the user is aware of it, as you can see by opening the gallery images.

Google is working to solve the problem, but finding a solution is not easy ; probably the road that will be undertaken will lead to updating Autofill applications with systems to avoid this kind of fraud. In any case, applications such as 1Password, Enpass, and LastPass should be safe at this time: use these apps for the time being, or disable Autofill services to avoid any risk.

Tracy

Tracy

Always on the move... Love to blog, write about smartphones, technology and telecoms. I also like to snowboard, when I have the time :p I'll be around for a while so, be prepared.

Leave a Response