AutoSpill Attack Steals Credentials from Android Password Managers

Cyber Security Threat Summary:
Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

Android apps typically use WebView controls to render web content, specifically login pages within applications instead of redirecting users to the main browsers, which could cause format issues on small screen devices. The researchers said that it is possible to exploit weaknesses in this process to capture the auto-filled credentials on the invoking app, even without JavaScript injection. If JavaScript injections are enabled, the researchers say that all password managers on Android are vulnerable to the AutoSpill attack.

Security Officer Comments:
Android has a flaw which fails to enforce the handling of auto-filled data, which can result in the data being leaked or captured by the host application. According to the researchers, a rogue app serving a login form could capture the user’s credentials without leaving any indication of the compromise.

Additional technical details about the AutoSpill attack are available in the researchers' slides from the Black Hat Europe presentation.

Suggested Correction(s):
The researchers tested AutoSpill against a selection of password managers on Android 10, 11, and 12 and found that 1Password 7.9.4, LastPass, Enpass, Keeper, and Keepass2Android 1.09c-r0 are susceptible to attacks due to using Android’s autofill framework.

Google Smart Lock and the DashLane 6.2221.3 followed a different technical approach for the autofill process. They did not leak sensitive data to the host app unless JavaScript injection was used.

The researchers disclosed their findings to impacted software vendors and Android’s security team and shared their proposals for addressing the problem. Their report was acknowledged as valid, but no details about fixing plans were shared.