{"id":77287,"date":"2014-11-21T23:31:31","date_gmt":"2014-11-21T21:31:31","guid":{"rendered":"http:\/\/onsoftware.en.softonic.com\/?p=77287"},"modified":"2025-07-02T00:20:25","modified_gmt":"2025-07-02T07:20:25","slug":"android-vulnerability-leaves-some-password-managers-open-to-sniffing","status":"publish","type":"post","link":"https:\/\/cms-articles.softonic.io\/en\/android-vulnerability-leaves-some-password-managers-open-to-sniffing\/","title":{"rendered":"Android vulnerability leaves some password managers open to sniffing"},"content":{"rendered":"<p>If you&#8217;re using a <a title=\"Which password manager should you use \u2013 1Password, Dashlane, or LastPass?\" href=\"http:\/\/features.en.softonic.com\/which-password-manager-should-you-use-1password-dashlane-or-lastpass\" target=\"_self\" rel=\"noopener noreferrer\">password manager<\/a> on your Android phone or tablet, you will want to pay attention to this vulnerability. <strong>The problem is inherent with Android itself<\/strong> but affects password managers that utilize the <strong>clipboard<\/strong> to fill in passwords.<\/p>\n<p>The vulnerability isn&#8217;t new and shouldn&#8217;t come as a surprise. Researcers discovered the bug back in early 2013 but nothing has been done about it since. But recently, an app called <a title=\"ClipCaster download\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.actisec.clipcaster\" target=\"_blank\" rel=\"noopener noreferrer\">ClipCaster<\/a> has made its way onto the Google Play Store that allows the app to <strong>sniff usernames and passwords stored in the Android clipboard<\/strong>.<\/p>\n<p>ClipCaster is a proof of concept that this vulnerability exists and works. The app <strong>doesn&#8217;t require any permissions<\/strong> so a victim will be none the wiser that his or her passwords are being sniffed out. There&#8217;s no functionality behind ClipCaster other than to expose vulnerable password managers on Android.<\/p>\n<p>While password managers like <a title=\"Lastpass for Android\" href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.lastpass.lpandroid\" target=\"_blank\" rel=\"noopener noreferrer\">LastPass<\/a> are affected, others that don&#8217;t utilize the clipboard are not. LastPass responded, saying that the vulnerability is not with its own app but a problem with Android itself.<\/p>\n<p>&#8220;This is an <strong>any clipboard activity problem<\/strong> [his emphasis] and impacts any password manager involving the clipboard (100% of them)\u2014the way all password managers have consistently allowed you to enter your password into other apps since Android has existed. This demonstration is aimed at LastPass, but it&#8217;s the whole of Android that must be addressed,&#8221; said Lastpass CEO Joe Siegrist speaking with <em>Ars Technica<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-77290\" title=\"Lastpass for Android combined\" src=\"https:\/\/articles-img.sftcdn.net\/sft\/articles\/auto-mapping-folder\/sites\/3\/2014\/11\/Lastpass-for-Android-combined-568x504.jpg\" alt=\"Lastpass for Android combined\" width=\"568\" height=\"504\" srcset=\"https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2014\/11\/Lastpass-for-Android-combined-568x504.jpg 568w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2014\/11\/Lastpass-for-Android-combined-256x227.jpg 256w, https:\/\/articles-img.sftcdn.net\/auto-mapping-folder\/sites\/3\/2014\/11\/Lastpass-for-Android-combined.jpg 1280w\" sizes=\"auto, (max-width: 568px) 100vw, 568px\" \/><\/p>\n<p>Android password managers which use their own browsers, browser extensions, or software keyboards are unaffected by this bug. This means LastPass users can stop this bug by <strong>disabling the &#8220;autofill&#8221; feature<\/strong> using the Lastpass secure browser or software keyboard instead.<\/p>\n<p>You can also protect yourself by only installing trusted apps, meaning apps you find in Google Play since Google checks those apps for malicious code. Still, some malicious apps may fall through the cracks so use your best judgement. Now is also a good time to <strong>install a mobile antivirus program<\/strong> like <a title=\"Lookout for Android download\" href=\"http:\/\/lookout-mobile-security.en.softonic.com\/android\" target=\"_self\" rel=\"noopener noreferrer\">Lookout<\/a> or <a title=\"AVG antivirus security free for Android download\" href=\"http:\/\/avg-antivirus-security-free.en.softonic.com\/android\" target=\"_self\" rel=\"noopener noreferrer\">AVG<\/a> to monitor your phone for vulnerabilities.<\/p>\n<p>Android does have a security feature called &#8220;<a title=\"Android sandboxing\" href=\"http:\/\/developer.android.com\/training\/articles\/security-tips.html\" target=\"_blank\" rel=\"noopener noreferrer\">sandboxing<\/a>&#8221; that would render this attack useless but it would also stop password managers from working properly. Basically, sandboxing isolates an app from interacting with other apps, protecting it from sniffing. However, <strong>sandboxing password managers would make the apps extremely limited and difficult to use<\/strong>.<\/p>\n<p>There&#8217;s <strong>no need to panic<\/strong> about this vulnerability, but Google and app developers should work together to implement a fix. Just use your best judgement about the apps you install and you should be safe.<\/p>\n<p>For more information about how to protect yourself online, check out my <a title=\"How to protect your online identity and why you should care\" href=\"http:\/\/features.en.softonic.com\/how-to-protect-your-online-identity-and-why-you-should-care\" target=\"_self\" rel=\"noopener noreferrer\">in-depth guide<\/a>.<\/p>\n<p><em>Source: <a title=\"Ars Technica\" href=\"http:\/\/arstechnica.com\/security\/2014\/11\/using-a-password-manager-on-android-it-may-be-wide-open-to-sniffing-attacks\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ars Technica<\/a><\/em><\/p>\n<h3>Related Stories<\/h3>\n<p><a title=\"Detekt looks for government spyware on your PC\" href=\"http:\/\/news.en.softonic.com\/detekt-looks-for-government-spyware-on-your-pc\" target=\"_self\" rel=\"noopener noreferrer\">Detekt looks for government spyware on your PC<\/a><\/p>\n<p><a title=\"Malware being spread through Steam chat\" href=\"http:\/\/news.en.softonic.com\/malware-being-spread-through-steam-chat\" target=\"_self\" rel=\"noopener noreferrer\">Malware being spread through Steam chat<\/a><\/p>\n<p><a title=\"End to end user encryption coming to WhatsApp\" href=\"http:\/\/news.en.softonic.com\/end-to-end-user-encryption-coming-to-whatsapp\" target=\"_self\" rel=\"noopener noreferrer\">End to end user encryption coming to WhatsApp<\/a><\/p>\n<p><a title=\"Critical Windows bug was hidden for 19 years\" href=\"http:\/\/news.en.softonic.com\/critical-windows-bug-was-hidden-for-19-years\" target=\"_self\" rel=\"noopener noreferrer\">Critical Windows bug was hidden for 19 years<\/a><\/p>\n<p style=\"text-align: right\"><em>Follow me on Twitter: <a href=\"https:\/\/twitter.com\/lewisleong\" target=\"_self\" rel=\"noopener noreferrer\">@lewisleong<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you&#8217;re using a password manager on your Android phone or tablet, you will want to pay attention to this vulnerability. The problem is inherent with Android itself but affects password managers that utilize the clipboard to fill in passwords. The vulnerability isn&#8217;t new and shouldn&#8217;t come as a surprise. Researcers discovered the bug back &hellip; <a href=\"https:\/\/cms-articles.softonic.io\/en\/android-vulnerability-leaves-some-password-managers-open-to-sniffing\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Android vulnerability leaves some password managers open to sniffing&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2033,"featured_media":71603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wpcf-pageviews":0},"categories":[],"tags":[],"usertag":[],"vertical":[],"content-category":[],"class_list":["post-77287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/77287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/users\/2033"}],"replies":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/comments?post=77287"}],"version-history":[{"count":1,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/77287\/revisions"}],"predecessor-version":[{"id":329797,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/77287\/revisions\/329797"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media\/71603"}],"wp:attachment":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media?parent=77287"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/categories?post=77287"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/tags?post=77287"},{"taxonomy":"usertag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/usertag?post=77287"},{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/vertical?post=77287"},{"taxonomy":"content-category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/content-category?post=77287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}