Security researchers developed a new attack, AutoSpill, to steal account credentials on Android while autofilling.
Security researchers developed a new attack, AutoSpill, to steal account credentials on Android while autofilling.
Researchers from the International Institute of Information Technology (IIIT) at Hyderabad presented at the Black Hat Europe security conference that their tests showed that most password managers for Android are vulnerable to AutoSpill even if there is no JavaScript injection.
WebView controls are most often used by Android apps to render web content, such as login pages, instead of redirecting users to the main browser, which would be more cumbersome on small screens.
The WebView framework on Android allows password managers to automatically enter user credentials when an app loads the login page for a service like Apple, Facebook, Microsoft, or Google.
There is a possibility of exploiting weaknesses in this process to capture the auto-filled credentials in the invoking application without requiring JavaScript injection.
Researchers say that all password managers on Android are vulnerable to the AutoSpill attack if JavaScript injections are enabled.
Specifically, the AutoSpill issue is related to Android's failure to enforce or clearly define the responsibility for the secure handling of auto-filled data, which may lead to leakage or capture by host apps.
In an attack scenario, a rogue app serving a login form could capture the user's credentials without leaving any indication of the compromise. Additional technical details about the AutoSpill attack are available in the researchers' Black Hat Europe presentation slides.
This document contains slides from the BlackHat presentation that provide additional details about the AutoSpill attack.
AutoSpill was tested against several password managers running on Android 10, 11, and 12, and found that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to attacks due to their use of Android's autofill framework.
Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 used different technical approaches for the autofill process. They did not leak sensitive data to the host app unless JavaScript injection was used.
Their report was acknowledged as valid, but no details about the plans to fix the issue were shared with the impacted software vendors and Android's security team.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?