We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Android Password Manager Details Stolen in AutoSpill Attack

Android Password Manager Details Stolen in AutoSpill Attack
Keira Waddell Published on 12th December 2023 Former Senior Writer

A security vulnerability named “AutoSpill” poses a threat to Android users who rely on password managers. It has been identified by researchers at the International Institute of Information Technology (IIIT) in Hyderabad, India. The vulnerability, presented at the Black Hat Europe security conference, exposes user credentials during the autofill operation, affecting popular Android password managers.

The AutoSpill attack exploits a flaw in the autofill function of Android devices, particularly when an app’s login page is loaded in WebView controls. WebView is Google’s engine for displaying web content within apps and becomes a point of confusion for password managers, leading them to misdirect the autofill operation. One of the researchers, Ankit Gangwal, told TechCrunch that this confusion results in the exposure of user credentials to the underlying app.

The researchers found that most password managers, including well-known ones like 1Password, LastPass, Keeper, and Enpass, are susceptible to AutoSpill even when JavaScript injection is disabled. Enabling JavaScript injections further amplifies the risk, making all tested password managers vulnerable to the attack.

AutoSpill takes advantage of weaknesses in Android’s autofill framework, where the responsibility for secure handling of auto-filled data is not clearly defined or enforced. As a result, the seized data can be leaked or captured by the host app, allowing a rogue application to snag user credentials secretly without leaving any indication of compromise.

In a simulated attack scenario, a malicious app serving a login form could capture a user’s credentials without their knowledge. This presents a severe security risk, especially in cases where a user unknowingly interacts with a malicious app, leading to unauthorized access to sensitive information stored in password managers.

The researchers tested the AutoSpill attack against various password managers on Android versions 10, 11, and 12. Password managers such as 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 were found to be susceptible to the attack due to their use of Android’s autofill framework.

The researchers disclosed their findings to impacted software vendors and Android’s security team. While some password managers, such as 1Password, are actively working on fixes to strengthen security, others have implemented mitigations.

Android users are advised to exercise caution when using autofill features and consider implementing additional security measures until fixes are introduced by affected password manager providers.

About the Author

Keira was a senior writer at vpnMentor. She is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address