Autofill security challenges for password managers
Everyone likes autofill
Many password managers offer the autofill feature to make our life easier. Everybody loves autofill. Besides that, autofill can help prevent many phishing attacks.
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.
Many of us have received phishing links via email or SMS. These nasty links are so cunning. They might replace some characters with other very similar characters to fool us. For example, they replace the letter “o” on
Unfortunately, this is not the only way for bad guys to steal users’ information. Some might exploit the autofill flaws of password managers.
Next, let’s look into some common risks of autofill found by security researchers.
New attack surface
Many password managers provide the autofill feature and expose a large attack surface simultaneously. Hackers may abuse autofill to steal our passwords.
1. Steal all passwords from password managers that parse website URLs incorrectly.
Mathias Karlsson, a security researcher, found a shocking bug in URL parsing when studying the autofill function of the LastPass browser extension in 2016. The extension expected the domain was after the last occurrence of
@. For example, it thought
avlidienbrunn.se, was the domain of http://firstname.lastname@example.orgemail@example.com and would give the twitter password to this web page. So hackers could make web pages for ANY website to steal the password!
2. Steal passwords by hidden input box.
Websites usually include many third-party trackers, ads, or resources. In the research in 2020, Acar, G., Englehardt, S., and Narayanan, A. found that evil third-party resources could inject invisible input boxes on web pages, and password managers filled them with users’ information. As a result, third-party services could harvest the data secretly. Users would not notice it at all during the whole process since they could not see the filled hidden input boxes.
From Acar, G., Englehardt, S., & Narayanan, A. (2020). No boundaries: data exfiltration by third parties embedded on web pages. Proceedings on Privacy Enhancing Technologies, 2020(4), 220-238.
3. Steal passwords with malicious code.
Third-party trackers or ads might also execute malicious code when opening web pages. They may trick password managers into filling passwords into input boxes crafted by malicious programs, without user interaction or with clickjacking.
4. Steal passwords with fake android apps
Some of us might download apps from other sources instead of app stores for various reasons. It is possible to download fake evil apps with the same package names as their authentic ones. As a result, these counterfeit apps might steal passwords through autofill.
5. Fill one website’s password into another app
It is common for users to receive and open website links on some apps. For example, we tend to directly open a website link sent by friends in the app (like Telegram) rather than copy and open the link in dedicated browsers. It is convenient. But if we log in to the website, it also causes the password appears in Telegram because the link is loaded inside the host app. In other words, Telegram can access all the information users input into its web component. If there are some bad guys in the Telegram team, your data is in danger.
Besides these common risks, there are still many other risks not covered in this article. That’s why many security researchers recommend turning off autofill completely whenever possible. But are you willing to quit this feature? If not, how can we find a password manager with a safer autofill? It is not easy. But we can still do these:
Find a safe one
- Read articles on the developer’s website to know what they did to mitigate autofill problems. Does it make sense?
- Search the incident history of the service. Does it keep a good record?
- Try a search on Google scholar.
- Try the app. Does it make you feel confident?
- How I made LastPass give me all your passwords
Stealing all your passwords by just visiting a webpage. Sounds too bad to be true? That’s what I thought too before I decided to check out the security of the LastPass browser extension.
- Revisiting Security Vulnerabilities in Commercial Password Managers, Michael Carr, Siamak F. Shahandashti, 2020
Notably, one of the new vulnerabilities we identified allows a malicious app to impersonate a legitimate app to two out of five widely-used password managers we tested and as a result, steal the user’s password for the targeted service.
- No boundaries: data exfiltration by third parties embedded on web pages, Gunes Acar (KU Leuven), Steven Englehardt (Mozilla), and Arvind Narayanan (Princeton University), 2020
- You should turn off autofill in your password manager, Marek Tóth, 2021
If a user uses the default configuration or follows the password manager’s recommendation, it is possible to steal the saved login credentials from 11 of the 16 tested browsers and password managers in one mouse click. So the database/password on the website doesn’t have to be leaked, and the attacker still gets your data – all in readable and unencrypted form (in plaintext).
- Browser Autofill Phishing
This is a simple demonstration of form fields hidden from the user, but will be filled anyways when using the browser form autofill feature, which poses a security risk for users, unaware of giving their information to the website.
Live demo. View the page at: https://anttiviljami.github.io/browser-autofill-phishing/
- Steal users’ credentials by taking advantage of autofill features when CSP header is present, Web Security Lens, 2022
Autofill feature provided by password managers and browsers is a convenient feature with security tradeoff. Especially, when your website has potential XSS vulnerabilities or there are many subdomains under your organization, you need to pay extra attention to manage the subdomains. For end users, if possible you could turn off autofill password features to prevent password stealing.
- Phishing Attacks on Modern Android, Simone Aonzo, Alessio Merlo, Giulio Tavella, Yanick Fratantonio, 2018
…we show it is possible to trick password managers into auto-suggesting credentials associated with arbitrary attacker-chosen websites. We then show how an attacker can abuse the recently introduced Instant Apps technology to allow a remote attacker to gain full UI control and, by abusing password managers, to implement an end-to-end phishing attack requiring only few user’s clicks. We also found that mobile password managers are vulnerable to “hidden fields” attacks, which makes these attacks even more practical and problematic.
- Password Managers: Attacks and Defenses, David Silver, Suman Jana, Dan Boneh, Eric Chen, Collin Jackson, 2014
And many more.