New Security Study Reveals AutoSpill Vulnerabilities in Android Password Managers

/in


A recent security study conductedresearchers at the International Institute of Information Technology (IIIT) has unveiled a new attack called AutoSpill, which targets Android password managers and can potentially lead to the theft of account credentials. The researchers discovered that most password managers for Android are vulnerable to this attack, even without the use of JavaScript injection.

The attack worksexploiting weaknesses in Android’s WebView framework, which is commonly usedAndroid apps to render web content. Password managers on Android rely on this framework to automatically fill in a user’s account credentials when logging into services like Apple, Facebook, Microsoft, or Google.

The AutoSpill attack is particularly concerning because it allows rogue apps to capture a user’s login credentials without leaving any trace of the compromise. This can lead to unauthorized access to sensitive accounts.

The researchers tested AutoSpill against several password managers on various Android versions and found that 1Password, LastPass, Enpass, Keeper, and Keepass2Android are all susceptible to the attack. However, Google Smart Lock and DashLane follow a different technical approach and are safe from AutoSpill unless JavaScript injection is used.

The AutoSpill vulnerability stems from Android’s failure to clearly define the responsibility for securely handling auto-filled data. This loophole can result in the leakage or capture of sensitive informationthe host app.

The researchers have reported their findings to the affected software vendors and Android’s security team. While the validity of the report has been acknowledged, no details regarding plans for fixing the issue have been shared yet.

In response to the disclosure, password management providers impactedAutoSpill, such as 1Password and LastPass, have assured their users that they are working on fixes to address the vulnerability. They emphasize the importance of user vigilance and explicit actions required for autofill functions.

Users are advised to exercise caution while installing apps and only download from trusted app stores like Google Play. Android developers are also encouraged to implement WebView best…

Source…