Autospill Attack Vulnerability in Android Password Managers
Autospill uses vulnerability in the process of auto-filling accounting data in Android applications, where the WebView component is often used to display web pages. Password managers using WebView automatically enter the user’s data on the web page entrance to the system. Scientists have revealed that during this process, auto-filled accounting data can be intercepted.
Representatives of the above products, as well as the Android security team, were notified of the vulnerability. The 1password team reported that work is already underway to correct Autospill. Lastpass claims that experts have already implemented mitigating attacks, such as pop-up warnings when trying to use malicious operations. Keeper Security emphasized the importance of high-quality moderation of applications in Google Play, since for the successful operation of the vulnerability, you must first install malicious software on the device.
The Google representative emphasized, “Android provides password managers the necessary context to distinguish between their own ideas and WebView, and also determine whether the loaded WebView with the host application is related,” and recommended that the developers of such projects be attentive to where the passwords are specifically entered.
The identification of this vulnerability emphasizes the importance of conscious use of auto-filling functions and the need for software developers to take measures to improve data protection. Users, in turn, should be vigilant, even when installing applications through Google Play.