Bug P3
Status Update
No update yet.
Comments
gu...@dashlane.com
Here is the project to reproduce the issue
jo...@dashlane.com
To add more details, we think it is a bug because it is only when you trigger the autofill from a webview field that you get everything related to the webview + all native fields outside of the webview.
If you trigger the autofill from native fields, you are not getting any info related to the webview, which seems to be the normal and secure behavior.
As soon as only the webview fields will be given when autofill is triggered from the webview, the security issue will be automatically fixed for all Password Managers using the Autofill API, even if they have not implemented some security measure to prevent this case
If you trigger the autofill from native fields, you are not getting any info related to the webview, which seems to be the normal and secure behavior.
As soon as only the webview fields will be given when autofill is triggered from the webview, the security issue will be automatically fixed for all Password Managers using the Autofill API, even if they have not implemented some security measure to prevent this case
Description
Version used: 1.1.0
There is a vulnerability in the Android autofill API where a malicious app can add some native fields next to a webview, and so autofill providers will autofill those native forms in addition to the webview.
I've attached an example app where there is a webview on the Wikipedia login page followed by two native fields "email" and "password". By selecting one of the fields inside the webview, you will be able to autofill the native fields with some autofill provider.
To address this security concern, I recommend enhancing the autofill API's behavior to discern when the focus is within a webview. Specifically, the autofill API should be modified to exclude autofilling native fields when the user interacts with forms inside a webview.
This issue has been published on this blogpost ->