Security News AutoSpill attack steals credentials from Android password managers

[vtqhtr413]

Content source

https://www.bleepingcomputer.com/news/security/autospill-attack-steals-credentials-from-android-password-managers/

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

How AutoSpill works​

Android apps often use WebView controls to render web content, such as login pages within the app, instead of redirecting the users to the main browser, which would be a more cumbersome experience on small-screen devices.

Password managers on Android use the platform’s WebView framework to automatically type in a user's account credentials when an app loads the login page to services like Apple, Facebook, Microsoft, or Google.

The researchers said that it is possible to exploit weaknesses in this process to capture the auto-filled credentials on the invoking app, even without JavaScript injection. If JavaScript injections are enabled, the researchers say that all password managers on Android are vulnerable to the AutoSpill attack.

AutoSpill attack steals credentials from Android password managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation.

www.bleepingcomputer.com

 

[Jonny Quest]

Good article, Bryan, as I use 1Password (on Android 13). From your link:

Impact and fixing​

The researchers tested AutoSpill against a selection of password managers on Android 10, 11, and 12 and found that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are susceptible to attacks due to using Android’s autofill framework.

Google Smart Lock 13.30.8.26 and the DashLane 6.2221.3 followed a different technical approach for the autofill process. They did not leak sensitive data to the host app unless JavaScript injection was used.

 

[zkSnark]

Bitwarden has always been safe till now. Not going to use anything else for now.

 

[vtqhtr413]

By now, you’ve probably heard about a vulnerability named AutoSpill, which can leak credentials from any of the seven leading password managers for Android. The threat it poses is real, but it’s also more limited and easier to contain than much of the coverage to date has recognized.

This FAQ dives into the many nuances that make AutoSpill hard for most people (yours truly included) to understand.

Q: What is AutoSpill?

A: While much of the press coverage of AutoSpill has described it as an attack, it’s more helpful to view it as a set of unsafe behaviors that occur inside the Android operating system when a credential stored in a password manager is autofilled into an app installed on the device. This unsafe behavior exposes the credentials being autofilled to the third-party app, which can be just about any kind of app as long as it accepts credentials for logging the user into an account.

Password managers affected in one way or another include Google Smart Lock, Dashlane, 1Password, LastPass, Enpass, Keepass2Android, and Keeper. Other password managers may also be affected since the researchers who identified AutoSpill limited their query to these seven titles.

How worried should we be about the “AutoSpill” credential leak in Android password managers?

This newly discovered vulnerability is real, but it's more nuanced than that.

arstechnica.com