CVE-2019-8350 in Simple - Better Banking App
Summary
by MITRE
The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed in 2.46.0) for Android was affected by an information disclosure vulnerability that leaked the user's password to the keyboard autocomplete functionality. Third-party Android keyboards that capture the password may store this password in cleartext, or transmit the password to third-party services for keyboard customization purposes. A compromise of any datastore that contains keyboard autocompletion caches would result in the disclosure of the user's Simple Bank password.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/17/2023
The vulnerability described in CVE-2019-8350 represents a critical information disclosure flaw within the Simple Better Banking Android application ecosystem. This security weakness affected versions 2.45.0 through 2.45.3, creating a significant risk for users who relied on the application for their banking activities. The flaw specifically manifested in how the application handled password input fields, inadvertently exposing sensitive authentication credentials to the device's keyboard autocomplete system. The vulnerability was successfully addressed in version 2.46.0, but the window of exposure allowed for potential exploitation by malicious actors who could leverage third-party keyboard applications to capture and store these credentials.
The technical implementation of this vulnerability stems from improper handling of password input fields within the application's user interface components. When users entered their passwords into the application's login forms, the system failed to properly configure the input fields to prevent autocomplete functionality from capturing and storing these credentials. This misconfiguration allowed the Android operating system to treat the password fields as candidates for keyboard autocomplete suggestions, effectively creating a data leak channel. The vulnerability aligns with CWE-200, which specifically addresses information exposure, and represents a failure in input validation and security configuration. The flaw operates at the application layer where user interface elements interact with the Android framework's text input and autocomplete services, creating a pathway for credential exposure that bypasses traditional security measures.
The operational impact of this vulnerability extends beyond the immediate compromise of individual user accounts. Attackers who could access keyboard autocomplete caches on affected devices could potentially retrieve stored passwords from various data stores including local keyboard cache databases, cloud synchronization services, or backup systems that might contain these autocomplete entries. This creates a multi-layered attack surface where a single vulnerability could result in widespread credential exposure across multiple devices and services. The risk is particularly elevated because many third-party keyboards collect user data for customization purposes, creating additional attack vectors where credentials could be transmitted to external services without user knowledge or consent. This vulnerability directly relates to ATT&CK technique T1555.003, which covers credentials from password storage components, and represents a sophisticated attack pathway that leverages legitimate Android platform features to achieve unauthorized access to sensitive information.
Mitigation strategies for this vulnerability require both immediate application-level fixes and user education regarding keyboard security practices. Application developers should implement proper input field configuration using Android's secure input attributes such as setRawInputType with appropriate flags to disable autocomplete for sensitive fields. Additionally, developers must ensure that password fields are configured to prevent automatic saving to keyboard caches through the use of appropriate input types and security flags. Users should be advised to avoid using third-party keyboards for applications that handle sensitive data, particularly banking and financial applications, and to regularly review and clear keyboard autocomplete caches. System administrators and security teams should monitor for potential credential compromise indicators and implement network monitoring to detect unusual data transmission patterns that might indicate credential leakage. The vulnerability serves as a critical reminder of the importance of proper input sanitization and security configuration in mobile applications, particularly those handling sensitive personal and financial information.