
Password Managers Using Android O’s Autofill Are Vulnerable to Data Leakage - AdmiralAsshat
https://github.com/commonsguy/AutofillFollies/blob/master/WHITE_PAPER.md
======
Diggsey
AFAICT, the main problem is that android doesn't force the autofill provider
to partition data according to which application is in use, in the same way
that you would expect them to be partitioned based on domain name on the web.

However, the information (application_id) _is_ provided to the autofill
provider, so it's not really fair to say that android itself is vulnerable:
specific implementations of the provider may be vulnerable. Even if android
could protect against this specific issue, you're still going to be placing a
lot of trust in the autofill provider.

------
izacus
The leakage is exactly the same as you get on your desktop computer - a
webpage can hide a password dialog as well which can trigger hidden autofill.

Of course exploiting this can be a bit hard:

\- All current password managers will show UI before autofilling.

\- The app can really grab a password just for itself because of how managers
lookup the password.

~~~
mrguyorama
That's not always how it was though. Lastpass used to hand out all your data
to pretty much any website that asked nicely[0].

I imagine password managers on mobile devices will have their own teething
problems. I will just be patient and wait for them to mature

0\. [https://labs.detectify.com/2016/07/27/how-i-made-lastpass-
gi...](https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-
your-passwords/)

------
giancarlostoro
I think any type of auto fill software should show you everything they're
giving up from you before they do it. I rather click Y/N once and have that
"inconvenience" than just wonder in the back of my mind how much I'm being
screwed by hidden forms. This is alarmingly worse on Android than the web due
to being able to inspect hidden elements with a modern browser, but on Android
you have to go through more hoops to look through the code for an app.

------
tscs37
Simple solution: Don't auto-autofill, ask the user, then autofill.

I setup my Keepass Plugin to not autofill forms and provide autocompletion
only. That way it doesn't automatically spam any logins it can find into
whatever form is present on the website.

Then again, since everything uses URLs of the websites, the only credentials a
website has access to are it's own...

