Autospill: All Password Managers Vulnerable to Theft

Autospill Attack Vulnerability in Android Password Managers

At the Black Hat Europe Cybersecurity Conference, a new attack called “Autospill” was presented. Indian researchers from the International Institute of Information Technology in Hyderabad found that most password managers for Android are vulnerable to this attack, even without the implementation of JavaScript. And with the introduction of JavaScript, absolutely all password managers for the green operating system become vulnerable.

Autospill uses vulnerability in the process of auto-filling accounting data in Android applications, where the WebView component is often used to display web pages. Password managers using WebView automatically enter the user’s data on the web page entrance to the system. Scientists have revealed that during this process, auto-filled accounting data can be intercepted.

Tests held on Android 10, 11, and 12 showed that password managers such as 1password, Lastpass, Enpass, Keeper, and Keepass2android were most prone to this attack. While Google Smart Lock and Dashlane were less vulnerable, unless, of course, using JavaScript-injections.

Representatives of the above products, as well as the Android security team, were notified of the vulnerability. The 1password team reported that work is already underway to correct Autospill. Lastpass claims that experts have already implemented mitigating attacks, such as pop-up warnings when trying to use malicious operations. Keeper Security emphasized the importance of high-quality moderation of applications in Google Play, since for the successful operation of the vulnerability, you must first install malicious software on the device.

The Google representative emphasized, “Android provides password managers the necessary context to distinguish between their own ideas and WebView, and also determine whether the loaded WebView with the host application is related,” and recommended that the developers of such projects be attentive to where the passwords are specifically entered.

The identification of this vulnerability emphasizes the importance of conscious use of auto-filling functions and the need for software developers to take measures to improve data protection. Users, in turn, should be vigilant, even when installing applications through Google Play.

/Reports, release notes, official announcements.