ARS Technica wrote a piece on the continuing security flaw with password managers like LastPass and KeePass on Android. Technically, the problem is an Android problem, but from the user’s standpoint they don’t really care.
The problem is tools like LastPass and many others use the Android clipboard to automatically log you on to a web page. That clipboard is available for any app to sniff and steal the content.
This problem was originally uncovered in 2013, but came back into the light because of an app recently published on the Play store which is a proof of concept app to steal passwords out of LastPass.
An alternative is to use the password manager the way I do which is to open the password manager, look at the password and type it into the browser.
But that is not as convenient.
LastPass CEO Joe Siegrist, when asked if he had ever notified his users of this vulnerability, did a slight of hand and responded that this was an Android problem. I would guess that means that the answer to the question is no.
To be fair, it IS an Android problem. But if users were aware that this mode of using LastPass and many other password managers was not safe, some percentage would change the way they use it.
According to ARS – and I am not a LastPass user – there are other modes of using LastPass besides autofill that are not susceptible to this problem (such as using the LastPass keyboard or LastPass browser). I don’t know about other password managers, but it seems like an important question to ask.
While the proof of concept app just published, clipcaster, is benign, some other app might not be so benign. It could run in the background, collecting userids and passwords and sending them to Bulgaria and you would never know.
Food for though.