In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most passwordmanagers for Android are vulnerable to AutoSpill, a new hacking attack that they discovered, even if there is no JavaScript injection. According to a report in Bleeping Computers, these researchers showed how this vulnerability allows malicious apps to steal user data during the autofill process, even without exploiting JavaScript injection.These password managers on Android use the platform’s WebView framework to automatically type in a user’s account credentials when an app loads the login page to services like Apple, Facebook, Microsoft, orGoogle.
How AutoSpill Works
Many Android apps use WebView controls to display web content within the app itself, including login pages. This eliminates the need to redirect users to the main browser, which can be cumbersome on smaller screens.
Password managers leverage Android’s WebView framework to automatically fill in user credentials as they access login pages for popular services like Apple, Facebook, Microsoft, or Google. Unfortunately, the researchers discovered a way to exploit weaknesses in this system and capture the auto-filled credentials, even without injecting JavaScript.
However, enabling JavaScript injection makes all Android password managers vulnerable to AutoSpill attacks.
What causes this hack
The core issue is said to lie in Android’s lack of clear guidelines or enforcement mechanisms regarding the secure handling of auto-filled data. This ambiguity leaves room for malicious apps to intercept and steal sensitive information. In an actual attack scenario, a rogue app displaying a login form could silently capture a user’s credentials without leaving any trace of compromise.
Password managers that ‘failed’
The IIIT researchers claimed to have tested AutoSpill in several popular password managers on Android 10, 11, and 12. They found that the following apps were vulnerable:
* 1Password 7.9.4
* LastPass 5.11.0.9519
* Enpass 6.8.2.666
* Keeper 16.4.3.1048
* Keepass2Android 1.09c-r0
Password managers that did not leak data
These vulnerabilities stemmed from their reliance on Android’s native autofill framework. However, two password managers, Google Smart Lock 13.30.8.26 and DashLane 6.2221.3, utilize a different technical approach for autofilling. As a result, they did not leak sensitive data to the host app unless JavaScript injection was specifically used.
What Google said
A Google spokesperson told Bleeping Computer, “WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps. This issue is related to how password managers leverage the autofill APIs when interacting with WebViews.
We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app.
For example, when using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field. Google implements server side protections for logins via WebView.”
How AutoSpill Works
Many Android apps use WebView controls to display web content within the app itself, including login pages. This eliminates the need to redirect users to the main browser, which can be cumbersome on smaller screens.
Password managers leverage Android’s WebView framework to automatically fill in user credentials as they access login pages for popular services like Apple, Facebook, Microsoft, or Google. Unfortunately, the researchers discovered a way to exploit weaknesses in this system and capture the auto-filled credentials, even without injecting JavaScript.
However, enabling JavaScript injection makes all Android password managers vulnerable to AutoSpill attacks.
What causes this hack
The core issue is said to lie in Android’s lack of clear guidelines or enforcement mechanisms regarding the secure handling of auto-filled data. This ambiguity leaves room for malicious apps to intercept and steal sensitive information. In an actual attack scenario, a rogue app displaying a login form could silently capture a user’s credentials without leaving any trace of compromise.
Password managers that ‘failed’
The IIIT researchers claimed to have tested AutoSpill in several popular password managers on Android 10, 11, and 12. They found that the following apps were vulnerable:
* 1Password 7.9.4
* LastPass 5.11.0.9519
* Enpass 6.8.2.666
* Keeper 16.4.3.1048
* Keepass2Android 1.09c-r0
Password managers that did not leak data
These vulnerabilities stemmed from their reliance on Android’s native autofill framework. However, two password managers, Google Smart Lock 13.30.8.26 and DashLane 6.2221.3, utilize a different technical approach for autofilling. As a result, they did not leak sensitive data to the host app unless JavaScript injection was specifically used.
What Google said
A Google spokesperson told Bleeping Computer, “WebView is used in a variety of ways by Android developers, which include hosting login pages for their own services in their apps. This issue is related to how password managers leverage the autofill APIs when interacting with WebViews.
We recommend third-party password managers be sensitive as to where passwords are being inputted, and we have WebView best practices that we recommend all password managers implement. Android provides password managers with the required context to distinguish between native views and WebViews, as well as whether the WebView being loaded is not related to the hosting app.
For example, when using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field. Google implements server side protections for logins via WebView.”
Denial of responsibility! Swift Telecast is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – swifttelecast.com. The content will be deleted within 24 hours.