Hacker News new | comments | show | ask | jobs | submit login
Password Managers Using Android O’s Autofill Are Vulnerable to Data Leakage (github.com)
23 points by AdmiralAsshat 11 months ago | hide | past | web | favorite | 5 comments

AFAICT, the main problem is that android doesn't force the autofill provider to partition data according to which application is in use, in the same way that you would expect them to be partitioned based on domain name on the web.

However, the information (application_id) is provided to the autofill provider, so it's not really fair to say that android itself is vulnerable: specific implementations of the provider may be vulnerable. Even if android could protect against this specific issue, you're still going to be placing a lot of trust in the autofill provider.

The leakage is exactly the same as you get on your desktop computer - a webpage can hide a password dialog as well which can trigger hidden autofill.

Of course exploiting this can be a bit hard:

- All current password managers will show UI before autofilling.

- The app can really grab a password just for itself because of how managers lookup the password.

That's not always how it was though. Lastpass used to hand out all your data to pretty much any website that asked nicely[0].

I imagine password managers on mobile devices will have their own teething problems. I will just be patient and wait for them to mature

0. https://labs.detectify.com/2016/07/27/how-i-made-lastpass-gi...

I think any type of auto fill software should show you everything they're giving up from you before they do it. I rather click Y/N once and have that "inconvenience" than just wonder in the back of my mind how much I'm being screwed by hidden forms. This is alarmingly worse on Android than the web due to being able to inspect hidden elements with a modern browser, but on Android you have to go through more hoops to look through the code for an app.

Simple solution: Don't auto-autofill, ask the user, then autofill.

I setup my Keepass Plugin to not autofill forms and provide autocompletion only. That way it doesn't automatically spam any logins it can find into whatever form is present on the website.

Then again, since everything uses URLs of the websites, the only credentials a website has access to are it's own...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact