Researchers at IIIT Hyderabad have unearthed a vulnerability in the autofill feature of Android apps, a flaw they've termed "AutoSpill." This vulnerability is particularly concerning because it can create situations where mobile password managers unintentionally leak user credentials. The problem arises when an Android app uses a WebView to load a login page, causing the password manager to miscalculate where to autofill login details, potentially exposing these credentials to the app itself.
AutoSpill: A Significant Security Threat
The AutoSpill vulnerability could pose a significant threat, especially if the base app in question has malicious intent. According to the researchers, this loophole in security could potentially be used by cybercriminals to extract sensitive data, such as passwords, thereby compromising user privacy and security.
The Autofill Dilemma: Password Managers at Risk
Steps Towards Mitigation
The teams from 1Password and LastPass have already initiated steps to mitigate the AutoSpill issue. Keeper, on the other hand, has in-built safeguards to prevent unauthorized autofill, but did not confirm any specific fixes. At this point, Google and Enpass have yet to respond to inquiries about the vulnerability.
In light of these findings, the researchers are conducting further investigations into the possibility of attackers using this vulnerability to extract credentials and whether the issue could also affect iOS devices. LastPass, on a separate note, has acknowledged that hackers were able to steal customers' password vaults.