Researchers from the International Institute of Information Technology in Hyderabad have uncovered a significant vulnerability in the autofill system of various mobile password managers for Android devices. The flaw, named “AutoSpill,” poses a risk to user credentials by misdirecting where passwords are autofilled within apps, potentially granting unauthorized access to sensitive information.
Technical Explanation of the AutoSpill Flaw
When an Android application utilizes WebView—a component for displaying web content inside an app—an autofill request can be erroneously completed by the password manager. Specifically, during instances where users attempt to log in through a third-party service like Google or Facebook within another app, the password manager might misplace inject login details into the app's native fields, instead of just the third-party login page. Consequently, this issue could expose user credentials if the base application is found to be malicious.
Ankit Gangwal, along with his fellow researchers Shubham Singh and Abhijeet Srivastava, articulated that this vulnerability circumvents the intended secure mechanisms of Android's autofill feature. They highlighted the risk of this malfunction, especially where the base app soliciting login credentials is intent on data exploitation.
Industry Response and Mitigation Efforts
Upon discovery, the team promptly informed Google and the developers of the affected password managers. According to TechCrunch Pedro Canahuati, CTO of 1Password, remarked on the seriousness of the vulnerability and assured that they are formulating a solution to AutoSpill. Canahuati highlighted that 1Password's update will include measures preventing such credential mishandling.
Keeper's CTO, Craig Lurey, acknowledged the communication from researchers and shared that the issue seemed to arise from a malicious app improperly linked to the Keeper password record. Keeper maintains that they have already implemented defenses against the forced association to unauthorized apps and sites, implying that an attack would necessitate explicit user authorization.
Representatives from LastPass indicated that they had preemptively integrated a warning system within their app to alert users of suspicious autofill requests, which has since been updated to provide clearer information.
At the time of the report, Google and Enpass had not issued statements regarding the flaw. The research team continues to probe whether the AutoSpill vulnerability extends to iOS and other potential attack vectors. All users of Android password managers are advised to stay alert for updates from their app providers and to exercise caution regarding autofill prompts within third-party applications.
