© IE Online Media Services Pvt Ltd
Tags:
Journalism of Courage
At a presentation at the Black Hat Europe 2023 conference, researchers from the International Institute of Information Technology (IIIT) Hyderabad said they have developed a new attack called AutoSpill that can be used to steal usernames and passwords from popular Android password managers.
Several services like Microsoft, Google and Apple use Android’s WebView framework to open web pages allowing users to quickly log in to services without opening the main browser. Android password managers also make use of the WebView framework to automatically enter the associated account credentials on the login page.
This means that if an app asks you to log in to a service using WebView, it can intercept and steal your username and password using AutoSpill. The research suggests that the issue arises due to Android’s lack of clear guidelines regarding the handling of autofill data, allowing threat actors to steal sensitive information without leaving a trace.
IIIT Hyderabad researchers said they conducted tests on phones and tablets running on Android 10, 11 and 12 and found out that popular password managers like 1Password, Keeper, Enpass, Keepass2Android and LastPass are susceptible to Autospill without JavaScript injection.
But Google Smart Lock and DashLane seem to be immune as they use a different mechanism. However, all aforementioned password managers can be exploited to leak user credentials when JavaScript injection is used.
The findings of the report were shared with the Android security team and password manager developers with the researchers saying it has been acknowledged by both password manager developers and Google as valid.
