Security of safari saved passwords and autofill

[HylianKnight]

So, I downloaded Newegg onto my 10.5 iPad and when I went to login the app was able to access my safari saved passwords to autofill my password. It was able to do this without me even using touchID or putting in my device passcode. On top of this, the app has the option to "show" the password—essentially showing what would normally be a hidden password. This got me thinking about all the websites that also have the option to reveal the hidden password on the password field. I believe the assumption is that our devices must first be unlocked with the use of touchID or the device password before access is granted to autofill our saved passwords, but it would seem to me that this is very short sighted. A nefarious person would only need access to an unlocked device and they could view any password to a site or app that has the "view" toggle or something similar.

iOS and macOS require the input of a device password or touchID in order to access our full list of saved passwords, so why is this same standard not applied when autofilling passwords into apps or websites? I personally feel this is a glaring oversight in security. There should at least be an option in settings to require the input of a device password or touchID whenever access to the saved passwords is needed, particularly when auto filling passwords into apps or websites. That toggle should also be password protected, much like the "Find my —" setting is protected. From what I have read, this issue seems to have been addressed in iOS 11, at least in the case when an app requests access to your saved passwords (it will require touchID). The security flaw likely still remains when auto filling website passwords.

Has this been addressed before? Am I missing somethIng? Is there a setting I'm missing that performs the security functions I outlined above or something similar? If this has been addressed and is still an issue, WTF APPLE!

I have attached a photo of the Newegg app to illustrate what I mean by an option to show password. Also, while Newegg app does prompt for Touch ID, you only need to hit cancel and the saved password prompt comes up. While this is certainly a flaw in the Newegg app, the issue illustrated above still applies to websites that autofill passwords. A great example would be the sign in page for google, which I have also attached a photo of.

 

[GermanSuplex]

As for security, I always lock my devices when unattended. Any accident could happen on any unlocked device. I reckon it's about as secure, if not more so, than most other cloud-storage password options. If upmost security is your thing, then I recommend using an app like 1Password with a local-only vault, and you can sync your vault between devices on your home wifi network. You can then use the Safari 1Password app extension directly in Safari to auto-fill passwords, and you can set 1Password to require Touch ID each time just as you mentioned.

 

[HylianKnight]

As You and I both seem to conclude, the assumption is that a device will be locked when it is left for any period of time. I myself always lock my device. It is a neurotic habit of mine to make sure all doors and devices are as secure as possible. But the point still stands, this is a weakness in the security of keychain—one that Apple could very easily address by implementing the procedure I have already outlined. Furthermore, not everyone locks their device up when they foresee themselves being away from it for only a matter of minutes. I admit, it is more likely someone would steal a device in that time frame, but then the problem is exacerbated if they manage to keep the device unlocked after stealing it. I would agree with your opinion about it being more secure than most other cloud based password solutions, but there is definitely room for significant improvement. I am aware of what 1Password is capable of, but a 3rd party solution doesn't excuse this flaw in the security of Apple's password management system.

 

[GermanSuplex]

I don't really see it as a flaw. Could it be improved? Sure, most things always can, and I don't disagree an option to enable Touch ID for every auto fill is a bad idea. I just don't see it as a security flaw. To me, the flaw would be in leaving an unlocked device somewhere. It's kind of like saying you were "hacked" when you left a piece of paper with website credentials laying around.

*I think I misread your post... I agree another app should not have access to Safari passwords without permission. I was thinking of the website. My apologies.

 

[HylianKnight]

I agree with you, it is a huge mistake to leave a device with so much personal information unlocked, but I do hope Apple makes this better in iOS. I guess it comes back to the age old debate of convenience vs security.

While safari never bothered me too much, I was fairly perturbed about an app having acces without any requirement of touchID or a device password. I think you have answered all my questions. Perhaps I will send apple a "feature request" next time I have nothing to do.

 

[GermanSuplex]

Hm, I downloaded the app to try it out, and it did not auto fill anything despite me also having a newegg account in safari's iCloud Keychain. Are you sure you weren't on the Newegg site rather than the app? It did show me the 'show password' field and asked if I wanted to use Touch ID to log into the future, but the app itself did not auto populate anything. I did notice that once the app was installed, the newegg website kept trying to force the app to open on me. But I saw no signs the app had access to Safari passwords.

 

[HylianKnight]

Hmmm, curious. Maybe a difference between iPad and iPhone. I used the iPad app.

 

[HylianKnight]

So, I reinstalled the app and took some pictures on my iPhone to show what I'm seeing. You will find them below and can see that in one screen shot that I tapped on cancel when asked about pairing with Touch ID after login. Pairing with Touch ID after login simply enables the ability to log in with it instead of a password.

 

[GermanSuplex]

The app doesn't have access to your password then. That's iOS giving you the option to auto fill the password, no different than if you visit a webpage in Safari for which you have chosen to previously save the password for.

So basically, you'd like to see iOS have a setting where you can use Touch ID anytime it wants to auto fill a password.

 

[Anony-mouse]

Just found out about this today (I'm on iOS 11 on my iPad Pro).
I'm not happy about not being able to force a TouchID authentication before Safari retrieves my password.

So, I've decided not to save passwords in Safari until Apple fixes this hole.
That is probably for the best security-wise anyway.

 

[Kmart9419]

Just found out about this today (I'm on iOS 11 on my iPad Pro).
I'm not happy about not being able to force a TouchID authentication before Safari retrieves my password.

So, I've decided not to save passwords in Safari until Apple fixes this hole.
That is probably for the best security-wise anyway.

The iPhone X face id turns on before each login and password are filled in. But on the iphone 6 and ipad pro 9.7, the login and password are filled in without any authentication. Very annoying and a security hazard. Don't know what is up with new apps that show passwords, stupidest thing in the world. If the X can do what the op wanted, why can't the other phones with touch id? All this really take is a flick of a switch from apple.

All devices on ios11.

 

[HylianKnight]

The iPhone X face id turns before each login and password are filled in. But on the iphone 6 and ipad pro 9.7, the login and password are filled in without any authentication. Very annoying and a security hazard. Don't know what is up with new apps that show passwords, stupidest thing in the world. If the X can do what the op wanted, why can't the other phones with touch id? All this really take is a flick of a switch from apple.

All devices on ios11.

Sad to hear this is still an issue on iPhones with the excerption of the iPhone X. I got a X and as kmart9419 mentioned, FaceID activates before filling in any passwords. I figured that Apple had addressed my security concern. I guess that just isn’t the case with other iPhones. Should be easy to implement, just ask for Touch ID before autofilling.

This may be a stupid question Kmart, but are the iPhone 6 and iPad 9.7 on the most current iOS?

 

[Kmart9419]

Sad to hear this is still an issue on iPhones with the excerption of the iPhone X. I got a X and as kmart9419 mentioned, FaceID activates before filling in any passwords. I figured that Apple had addressed my security concern. I guess that just isn’t the case with other iPhones. Should be easy to implement, just ask for Touch ID before autofilling.

This may be a stupid question Kmart, but are the iPhone 6 and iPad 9.7 on the most current iOS?

Yes, all devices on 11.2.5.

Since kids kept forgetting passwords, I decided to setup keychain passwords for them fully expecting authentication before autofilling. Then to my surprise, everything just filled in with Touch ID. Of course being kids, they hit show passwords on the screen where all their friends can see it.

Had to increase security with the passcode from a very simple kid friendly 4 digit code to a much harder 6 digits to compensate. Also educated them on passwords security and the risks. But being as young as they are, who knows what is going to happen.