- AutoSpill vulnerability exposes user credentials in popular mobile password managers on Android.
- Discovered by IIIT Hyderabad researchers, the flaw messes with Android's autofill mechanism in WebView.
- Password managers, including 1Password and LastPass, are susceptible, even with JavaScript injection disabled.
- Researchers alerted Google and affected managers, with some working on fixes, highlighting the need for heightened security.
"Through a malicious app installed on the user's device, a hacker could lead a user to unintentionally autofill their credentials. AutoSpill highlights this problem.", explained 1Password in an email to Digital Information World.
For starter, when a login page pops up in an Android app using WebView (that nifty tool from Google that lets apps show web content without the need for a browser), password managers get a bit lost. Instead of smoothly filling in your login info, they end up exposing it to the app's native fields. Imagine trying to log in to your favorite music app using the "login via Google or Facebook" option. The password manager should ideally stick to autofilling only on the Google or Facebook page, right? Well, turns out, the autofill operation could disclosed the information to the base app – not cool.
Now, the real kicker is the potential fallout from this glitch, especially if the base app has a mischievous agenda. Gangwal emphasized the point that even without resorting to phishing tactics, any shady app asking you to log in via Google or Facebook could snatch up your sensitive info automatically.
The researchers tested the AutoSpill glitch on big-name password managers like 1Password, LastPass and Keeper. Surprise, surprise – most apps were vulnerable, even when JavaScript injection was disabled. And when they turned JavaScript injection on, every password manager fell prey to this AutoSpill flaw.
Gangwal did the responsible thing and gave heads up to Google and the affected password managers about this glitch. 1Password's CTO, Pedro Canahuati, assured they're working on a fix to tighten their security. Adding further, "While the fix will further strengthen our security posture, 1Password’s autofill function has been designed to require the user to take explicit action. The update will provide additional protection by preventing native fields from being filled with credentials that are only intended for Android’s WebView."
Keeper's CTO, Craig Lurey, mentioned getting a heads up about a possible hiccup but didn't spill the beans about any fixes yet.
Bottom line, it's a wake-up call for password managers (their users) and app developers. The researchers are now digging deeper to see if attackers could yank credentials from the app to WebView and are also exploring whether this glitch has a thing for iOS. Talk about a digital rollercoaster!
In response to the AutoSpill vulnerability affecting mobile password managers, users can take several precautions. Firstly, ensure both your password manager app and Android system are up-to-date to benefit from any released patches. Be cautious of autofill prompts, particularly in third-party apps, and consider manually entering passwords for added security. Regularly review app permissions, limiting unnecessary access. Most importantly, enable two-factor authentication whenever possible and stay informed about security updates from your password manager provider. If security concerns persist, explore alternative password managers with a strong security track record. Lastly, report any suspicious activity promptly to both the password manager provider and the relevant app or service, maintaining proactive vigilance to mitigate potential risks.
Read next: US Senator Warns Smartphone Users About Foreign Governments Spying On Them By Turning Over Push Notification Records
