Android password managers vulnerable to 'AutoSpill' attack, researchers warn

Exploits a weakness in autofill functionality

Android password managers vulnerable to 'AutoSpill' attack, researchers warn

The flaw, discussed at last week's Black Hat Europe conference, could potentially enable malicious apps to pilfer user credentials during the autofill process, posing a significant security risk for Android users.

The researchers - Ankit Gangwal, Shubham Singh and Abhijeet Srivastava from the International Institute of Information Technology (IIIT) in Hyderabad - conducted tests on various Android devices, including the Poco F1, Samsung Galaxy A52 and Galaxy Tab S6 Lite. They demonstrated potential security weaknesses in popular password manager (PM) apps like 1Password, LastPass, Keeper and Enpass.

The AutoSpill vulnerability leverages Android's WebView framework, a technology that renders web content, including login pages in apps, without switching to an external browser.

PMs also use Android WebView to automatically input user credentials when an app loads login pages.

The researchers showed AutoSpill can exploit weaknesses in this process to capture auto-filled credentials - without resorting to JavaScript injection.

They explained that PMs can become "disoriented" during autofill operations, inadvertently revealing credentials to the base app.

In a hypothetical scenario, a malicious app with a fake login form could secretly capture a user's credentials without leaving any trace of compromise.

The researchers tested various password managers across Android 10, 11 and 12. They found that popular services such as 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are susceptible to AutoSpill attacks, due to their use of Android's autofill framework.

Only two PMs were exempt from the exploit. Google Smart Lock version 13.30.8.26 and DashLane version 6.2221.3 both use a distinct technical methodology in the autofill process. Consequently, they did not compromise sensitive data to the host application unless JavaScript injection was employed.

The rise of password manager usage makes this discovery particularly concerning, with 34% of users in the US relying on these tools, a significant increase from 21% in 2022, according to Security.org's annual "Password Manager Industry Report and Market Outlook."

Gangwal highlighted the severity of the AutoSpill vulnerability, warning that malicious apps could easily obtain credentials without resorting to phishing or trickery.

1Password responded positively to the researchers' findings, acknowledging the issue and promising to fix it. CTO Pedro Canahuati said the upcoming update aims to prevent native fields from being filled with credentials intended only for Android's WebView.

Keeper said it has integrated protective measures to safeguard users from automatically filling credentials into untrusted apps.

LastPass claims to have included a warning pop-up for apps attempting to exploit the vulnerability even before it was publicly disclosed. The company says it has enhanced the pop-up with more informative wording to better alert users.

The researchers' future plans involve attempting to replicate the attack on Apple's iOS and exploring the possibility of fetching details from the app onto a WebView page.

The findings underscore the need for Android users to exercise caution when using password managers, and to remain vigilant for updates and fixes from password manager providers and Google.