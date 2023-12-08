As operating systems have incorporated password managers, users have tended to trust them and despise any other alternative to save them. Now, it looks like we might be in danger. At least, Android users. We tell you all the details.

Password managers have become, for many, one of the most used features of our operating system. Thanks to the fact that all the data is saved in the cloud, we have become accustomed to the fact that any password we enter from our computer is automatically available on our mobile phone or tablet. Although most tools have the most advanced security protocols, sometimes security gaps are identified that can compromise our most critical data.

Recently, it has been detected that several password managers could be disclosing passwords as a result of a vulnerability that affects the autocomplete functionality of Android applications, which is called “AutoSpill”. This security breach has been discovered by researchers at IIIT Hyderabad and, as a consequence, may have affected thousands of users around the world.

It only affects Android phones

The situation occurs due to the data flow that Android integrates when entering passwords. Researchers have given as an example when we want to log in to an application using our Google credentials, for example. The music application opens a new window in which we must enter the Google credentials and when we use a password manager to autofill these credentials, the password should only be displayed in the application that will serve as the access key. In this case, Google.

However, in this process a security breach has been detected that sometimes causes passwords to also be displayed in the base application. In this case, the music app. Researchers have stated that, even without carrying out any phishing attack, any malicious application that wants to capture the data of its users could do so without having to carry out any highly developed attack.

Most password managers

According to members who participated in the research, this vulnerability has been tested in the main password managers. Among them, LastPass, Enpass, 1Password or Keeper. And in most of these applications it has been detected that most of them were vulnerable to suffering from this data leak. So it would be a fairly general problem.

When this information has been put in the hands of the previously mentioned managers, the response has been diverse. While 1Password told TechCrunch that the company had identified the problem and was working on a solution, other tools such as Keeper contradicted the study, implying that the application had been manipulated to achieve that result. The rest of the applications have not yet commented on the matter, nor has Google itself, owner of Android, the affected operating system. In the meantime, we will have to remain attentive to possible new updates to password management applications to minimize the chances of being affected by them.