Several mobile password managers are leaking user credentials due to a vulnerability discovered in the autofill functionality of Android apps.
Also: The best password managers to save you from login hassle.
The vulnerability comes into play when Android calls a login page via WebView.
When that happens, WebView allows Android apps to display the content of the web page in question.
If the originating app is trusted, everything should be OK If that app isn't trusted, things could go very wrong.
The affected password managers are 1Password, LastPass, Enpass, Keeper, and Keepass2Android.
If the credentials were shared via a JavaScript injection method, both DashLane and Google Smart Lock are also affected by the vulnerability.
Also: 5 quick tips to strengthen your Android phone security today.
Because of the nature of this vulnerability, neither phishing nor malicious in-app code is required.
One thing to keep in mind is that the researchers tested this on less-than-current hardware and software.
The versions of Android used in their testing were Android 0, Android 11, and Android 12.
As these tested devices - as well as the OS and security patches - were out of date, it's hard to know with any certainty whether the vulnerability would affect newer versions of Android.
Also: Why you can still trust password managers, even after that LastPass mess.
Even if you are using a device other than what the group tested with, it doesn't mean this vulnerability should be shrugged off.
Rather, it should serve as a reminder to always keep your Android OS and installed app up-to-date.
The WebView system has always been held under scrutiny and updates for this software should always be updated.
For that, you can open the Google Play Store on your device, search for WebView, tap About this app, and compare the latest version with the version installed on your device.
If they are not the same, you'll want to update.
One of your best means of keeping Android secure is to make sure it is always as up-to-date as possible.
Check daily for OS and app updates and apply all that are available.
This Cyber News was published on www.zdnet.com. Publication date: Mon, 11 Dec 2023 18:13:05 +0000