Android Password Manager Details Stolen in AutoSpill Attack

A security vulnerability named “AutoSpill” poses a threat to Android users who rely on password managers. It has been identified by researchers at the International Institute of Information Technology (IIIT) in Hyderabad, India. The vulnerability, presented at the Black Hat Europe security conference, exposes user credentials during the autofill operation, affecting popular Android password managers.

The AutoSpill attack exploits a flaw in the autofill function of Android devices, particularly when an app’s login page is loaded in WebView controls. WebView is Google’s engine for displaying web content within apps and becomes a point of confusion for password managers, leading them to misdirect the autofill operation. One of the researchers, Ankit Gangwal, told TechCrunch that this confusion results in the exposure of user credentials to the underlying app.

The researchers found that most password managers, including well-known ones like 1Password, LastPass, Keeper, and Enpass, are susceptible to AutoSpill even when JavaScript injection is disabled. Enabling JavaScript injections further amplifies the risk, making all tested password managers vulnerable to the attack.

AutoSpill takes advantage of weaknesses in Android’s autofill framework, where the responsibility for secure handling of auto-filled data is not clearly defined or enforced. As a result, the seized data can be leaked or captured by the host app, allowing a rogue application to snag user credentials secretly without leaving any indication of compromise.

In a simulated attack scenario, a malicious app serving a login form could capture a user’s credentials without their knowledge. This presents a severe security risk, especially in cases where a user unknowingly interacts with a malicious app, leading to unauthorized access to sensitive information stored in password managers.

The researchers tested the AutoSpill attack against various password managers on Android versions 10, 11, and 12. Password managers such as 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 were found to be susceptible to the attack due to their use of Android’s autofill framework.

The researchers disclosed their findings to impacted software vendors and Android’s security team. While some password managers, such as 1Password, are actively working on fixes to strengthen security, others have implemented mitigations.

Android users are advised to exercise caution when using autofill features and consider implementing additional security measures until fixes are introduced by affected password manager providers.