Advertisment

AutoSpill Vulnerability in Android Apps Could Leak User Credentials

author-image
Salman Khan
New Update
AutoSpill Vulnerability in Android Apps Could Leak User Credentials

Researchers at IIIT Hyderabad have unearthed a vulnerability in the autofill feature of Android apps, a flaw they've termed "AutoSpill." This vulnerability is particularly concerning because it can create situations where mobile password managers unintentionally leak user credentials. The problem arises when an Android app uses a WebView to load a login page, causing the password manager to miscalculate where to autofill login details, potentially exposing these credentials to the app itself.

Advertisment

AutoSpill: A Significant Security Threat

The AutoSpill vulnerability could pose a significant threat, especially if the base app in question has malicious intent. According to the researchers, this loophole in security could potentially be used by cybercriminals to extract sensitive data, such as passwords, thereby compromising user privacy and security.

The Autofill Dilemma: Password Managers at Risk

Advertisment

The researchers put several popular password managers, including 1Password, LastPass, Keeper, and Enpass, to the test on modern Android devices. Their findings revealed that most of these password managers were vulnerable to the AutoSpill loophole, with all being susceptible when JavaScript injection was enabled.

Steps Towards Mitigation

The teams from 1Password and LastPass have already initiated steps to mitigate the AutoSpill issue. Keeper, on the other hand, has in-built safeguards to prevent unauthorized autofill, but did not confirm any specific fixes. At this point, Google and Enpass have yet to respond to inquiries about the vulnerability.

In light of these findings, the researchers are conducting further investigations into the possibility of attackers using this vulnerability to extract credentials and whether the issue could also affect iOS devices. LastPass, on a separate note, has acknowledged that hackers were able to steal customers' password vaults.

Advertisment
Advertisment