Summary
The AutoSpill attack poses a new threat to Android password managers. It discusses the mechanism of the attack, the vulnerability of various password managers, and the responses from the affected software vendors.
In a recent revelation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad introduced a new security threat named AutoSpill. This attack targets Android password managers to steal user credentials during autofill.
“Security is always excessive until it’s not enough.” – Robbie Sinclair
How AutoSpill Works
AutoSpill exploits the autofill operation of Android password managers. Android apps often use WebView controls to render web content, such as login pages, within the app instead of redirecting users to the main browser. This process is especially prevalent in small-screen devices where turning to the main browser could be a cumbersome experience. The password managers on Android utilize the platform’s WebView framework to automatically input a user’s account credentials when an app loads the login page for services like Apple, Facebook, Microsoft, or Google.
Researchers discovered that it is possible to exploit weaknesses in this process to capture the auto-filled credentials on the invoking app, even without JavaScript injection. If JavaScript injections are enabled, all password managers on Android are vulnerable to the AutoSpill attack. This issue arises from Android’s failure to enforce or clearly define the responsibility for securely handling the auto-filled data. Consequently, this data can leak or be captured by the host app.
Impact and Countermeasures
The researchers tested AutoSpill against various password managers on Android 10, 11, and 12. They found that multiple password managers, including 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0, are susceptible to attacks due to their use of Android’s autofill framework.
However, Google Smart Lock 13.30.8.26 and DashLane 6.2221.3, which use a different technical approach for the autofill process, did not leak sensitive data to the host app unless JavaScript injection was used. The findings were disclosed to the affected software vendors and Android’s security team, and proposals for addressing the problem were shared. The report was acknowledged as valid, but no details about fixing plans were shared.
Responses from Software Vendors
Several software vendors have responded to the AutoSpill threat. A spokesperson from 1Password stated that a fix for AutoSpill has been identified and is currently in the works. The update will enhance their security posture by preventing native fields from being filled with credentials intended only for Android’s WebView.
LastPass, however, had mitigation in place before receiving the AutoSpill findings. They have an in-product pop-up warning when the app detects an attempt to leverage the exploit and have added more informative wording in the pop-up after analyzing the findings.
Keeper Security, co-founded by Craig Lurey, clarified that Keeper has safeguards protecting users against automatically filling credentials into an untrusted application or site. The user is prompted to confirm the association of the application to the Keeper password record before serving any information.
Google also weighed in on the issue, stating that it relates to how password managers leverage the autofill APIs when interacting with WebViews. They recommend all password managers implement WebView best practices and provide password managers with the required context to distinguish between native views and WebViews.