Security researchers from the International Institute of Information Technology (IIIT) have revealed a new attack, AutoSpill, targeting Android password managers during autofill operations. This exploit captures auto-filled credentials on Android apps, exploiting weaknesses in Android’s handling of auto-filled data. The attack can work without JavaScript injection, potentially allowing rogue apps to capture user credentials without detection.
Android apps commonly use WebView controls to render web content, including login pages, using the platform’s WebView framework. Password managers utilize this to auto-fill user credentials. AutoSpill exploits Android’s failure to securely handle auto-filled data, allowing rogue apps to capture credentials without detection. The attack was tested against various password managers, revealing vulnerabilities in popular ones like 1Password, LastPass, Enpass, Keeper, and Keepass2Android.
AutoSpill’s impact extends to a range of password managers on Android 10, 11, and 12. Notable products susceptible to the attack include 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0. The researchers informed affected vendors and Android’s security team about their findings, but specific details about fixing plans are yet to be disclosed.
The researchers discovered that even if JavaScript injections are disabled, most Android password managers are vulnerable to the AutoSpill attack. This exposes a potential security loophole that could compromise user credentials during autofill operations. The AutoSpill issue arises from Android’s inadequate enforcement and definition of responsibilities for secure auto-filled data handling, creating a risk of data leakage or capture by a host app.
AutoSpill, a new attack targeting Android password managers during autofill operations, exploits weaknesses in Android’s handling of auto-filled data. Security researchers at the International Institute of Information Technology (IIIT) revealed that most password managers on Android are susceptible to AutoSpill, even without JavaScript injection. The attack potentially enables rogue apps to capture user credentials during autofill without detection, posing a threat to the security of Android password managers.
