The AutoSpill attack poses a new threat to Android password managers. It discusses the mechanism of the attack, the vulnerability of various password managers, and the responses from the affected software vendors.
In a recent revelation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad introduced a new security threat named AutoSpill. This attack targets Android password managers to steal user credentials during autofill.
“Security is always excessive until it’s not enough.” – Robbie Sinclair
How AutoSpill Works
AutoSpill exploits the autofill operation of Android password managers. Android apps often use WebView controls to render web content, such as login pages, within the app instead of redirecting users to the main browser. This process is especially prevalent in small-screen devices where turning to the main browser could be a cumbersome experience. The password managers on Android utilize the platform’s WebView framework to automatically input a user’s account credentials when an app loads the login page for services like Apple, Facebook, Microsoft, or Google.
Impact and Countermeasures
The researchers tested AutoSpill against various password managers on Android 10, 11, and 12. They found that multiple password managers, including 1Password 7.9.4, LastPass 220.127.116.1119, Enpass 18.104.22.1686, Keeper 22.214.171.1248, and Keepass2Android 1.09c-r0, are susceptible to attacks due to their use of Android’s autofill framework.
Responses from Software Vendors
Several software vendors have responded to the AutoSpill threat. A spokesperson from 1Password stated that a fix for AutoSpill has been identified and is currently in the works. The update will enhance their security posture by preventing native fields from being filled with credentials intended only for Android’s WebView.
LastPass, however, had mitigation in place before receiving the AutoSpill findings. They have an in-product pop-up warning when the app detects an attempt to leverage the exploit and have added more informative wording in the pop-up after analyzing the findings.
Keeper Security, co-founded by Craig Lurey, clarified that Keeper has safeguards protecting users against automatically filling credentials into an untrusted application or site. The user is prompted to confirm the association of the application to the Keeper password record before serving any information.
Google also weighed in on the issue, stating that it relates to how password managers leverage the autofill APIs when interacting with WebViews. They recommend all password managers implement WebView best practices and provide password managers with the required context to distinguish between native views and WebViews.
Share the Article by the Short Url: