A new type of vulnerability was discovered by a team of researchers, which can exploit several popular Android password managers. Dubbed as “AutoSpill“, rightfully so as it exploits the password managers autofill functionality through WebView.
What is AutoSpill Vulnerability?
Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava from IIT Hyderabad in India revealed that the AutoSpill vulnerability works by receiving the password managers into auto-filling credentials into an app’s native text fields. This happens when the app shows a login page through the WebView instead of launching the external web browser.
Password Managers Affected by AutoSpill
AutoSpill was put to the test against prominent password managers, including 1Password, LastPass, Keeper, and Enpass, on thoroughly updated Android devices by the researchers. Surprisingly, they discovered that most apps remained vulnerable, even when equipped with JavaScript injection protections. Enabling JavaScript proved that all tested password managers were prone to the vulnerability.
AutoSpill Vulnerability Fix
Moreover, the researchers have relayed this finding to the password manager apps and Google. One of the apps, 1password has acknowledged this vulnerability and will release a fix in the near future. Another app, Last pass has also claimed to have put some security measures in place. Hopefully, other password managers will also soon identify and release a security patch.
How To Prevent AutoSpill Attack?
The situation is quite severe as password managers are supposed to be the last app to get compromised. The malicious exploitation can cause serious damage by stealing hundreds of precious usernames and passwords. And we don’t have to imagine what the hackers will do with that information. It’s best to be cautious and also avoid these password manager apps for now.
Kudos to the Indian researchers for finding this severe vulnerability as this could have done some serious damage. But this incident shows how even modern innovations like these can easily be inflicted with hacks. It is always a good idea to not trust any app or website blindly. Only use certified Android apps from the Google Play Store and do not visit any shady websites.