HQ/EMEAFind out how we can help your business
Black Hat Europe security conference unveils a new threat named AutoSpill. This threat could allegedly steal account credentials from Android devices during autofill. The researchers explained that most Android password managers, including widely used ones like 1Password, LastPass, Enpass, Keeper, and Keepass2Android, are susceptible to this newly discovered attack.
AutoSpill exploits the common use of WebView controls in Android applications, which render web content, including login pages, within the app rather than redirecting users to an external browser.
Password managers depend on Android’s WebView framework to automatically input user credentials when an application loads login pages for services like Apple, Facebook, Microsoft, or Google.
The AutoSpill exploit takes advantage of the failed auto-filled data.
The researchers emphasised that the AutoSpill attack appears from Android’s failure to impose secure handling of auto-filled data. This failed process allows malicious apps to capture sensitive information without JavaScript injection. In addition, if there is a JavaScript injection, all Android password managers are still potentially at risk.
In a hypothetical attack incident, a rogue app could serve a fake login form that could silently capture the user’s credentials without a trace of compromise. The researchers highlighted the severity of the issue by emphasising the need for immediate attention to prevent widespread credential theft.
Furthermore, the researchers tested AutoSpill against various password managers on Android 10, 11, and 12, revealing vulnerabilities in popular apps. Notably, Google Smart Lock and DashLane took a different technical approach for autofill and were more resistant to the attack unless JavaScript injection was present.
The researchers disclosed these findings to the affected software vendors and Android’s security team. While the vendors acknowledged the threat as valid, they have yet to reveal the details about imposing specific plans to address the vulnerability.
On the other hand, users should exercise caution when relying on Android password managers while waiting for security updates from their respective providers. This discovery shows the evolving landscape of cybersecurity threats.
Organisations and security providers should collaborate to create more fortified digital defences against emerging risks.
