AutoSpill attack steals credentials from Android password managers

Trending 2 months ago

Android

Security advisers developed a new attack, which they called AutoSpill, to abduct anniversary accreditation on Android during the autofill operation.

In a presentation at the Black Hat Europe aegis conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that best countersign managers for Android are accessible to AutoSpill, alike if there is no JavaScript injection.

How AutoSpill works

Android apps generally use WebView controls to cede web content, such as login pages aural the app, instead of redirecting the users to the capital browser, which would be a added bulky acquaintance on small-screen devices.

Password managers on Android use the platform’s WebView framework to automatically blazon in a user's anniversary accreditation back an app loads the login page to casework like Apple, Facebook, Microsoft, or Google.

Logging in on the university aperture application a Microsoft accountLogging in on a university aperture application a Microsoft account

The advisers said that it is accessible to accomplishment weaknesses in this action to abduction the auto-filled accreditation on the invoking app, alike after JavaScript injection.

If JavaScript injections are enabled, the advisers say that all countersign managers on Android are accessible to the AutoSpill attack.

Internal anatomy of autofill administration on AndroidInternal anatomy of autofill administration on Android

Specifically, the AutoSpill affair stems from Android’s abortion to accomplish or to acutely ascertain the albatross for the defended administration of the auto-filled data, which can aftereffect in aperture it or actuality captured by the host app.

Process breeze of the autofill serviceProcess breeze of the autofill service

In an advance scenario, a rogue app confined a login anatomy could abduction the user’s accreditation after abrogation any adumbration of the compromise. Additional abstruse capacity about the AutoSpill advance are accessible in the researchers' slides from the Black Hat Europe presentation.

More capacity about the AutoSpill advance can be begin in this document, which contains slides from the BlackHat presentation.

Impact and fixing

The advisers activated AutoSpill adjoin a alternative of countersign managers on Android 10, 11, and 12 and begin that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are affected to attacks due to application Android’s autofill framework.

Google Smart Lock 13.30.8.26 and the DashLane 6.2221.3 followed a altered abstruse access for the autofill process. They did not aperture acute abstracts to the host app unless JavaScript bang was used.

Test after-effects (U - username), (P - password)Test results: (U - username leaked), (P - countersign leaked), (X - not working), (✓ - safe from AutoSpill)

The advisers appear their allegation to impacted software vendors and Android’s aegis aggregation and aggregate their proposals for acclamation the problem. Their address was accustomed as valid, but no capacity about acclimation affairs were shared.

BleepingComputer has contacted assorted providers of password administration articles that are impacted by AutoSpill, as able-bodied as Google, allurement about their affairs to abode the issue and we accustomed the afterward comments so far:

Many bodies accept become acclimatized to application autofill to bound and calmly access their credentials. Through a awful app installed on the user's device, a hacker could advance a user to accidentally autofill their credentials. AutoSpill highlights this problem. 

Keeping our customers’ best important abstracts safe is our absolute antecedence at 1Password. A fix for AutoSpill has been articular and is currently actuality formed on. 

While the fix will added strengthen our aegis posture, 1Password’s autofill action has been advised to crave the user to booty absolute action.

The amend will accommodate added aegis by preventing built-in fields from actuality abounding with accreditation that are alone advised for Android’s WebView. - 1Password spokesperson


In 2022, we affianced with Dr. Gangwal via Bugcrowd, our bug advantage affairs partner. We analyzed the allegation he submitted and begin it to be a low-risk vulnerability due to the mechanisms appropriate for it to be exploited.

What’s important to agenda actuality is that this vulnerability requires the adeptness and befalling to install a awful app on the ambition device, which would announce a complete accommodation or the adeptness to assassinate cipher on the targeted device. 

Prior to accepting Dr. Gangwal’s findings, LastPass already had a acknowledgment in abode via an in-product pop-up admonishing back the app detected an attack to advantage the exploit. After allegory the findings, we added added informative wording in the pop-up.

We accepted this amend with Dr. Gangwal but did not accept any accepting of our update. - LastPass spokesperson


On May 31, 2022, Keeper accustomed a address from the researcher about a abeyant vulnerability. We requested a video from the researcher to authenticate the appear issue. Based aloft our analysis, we bent the researcher had aboriginal installed a awful appliance and subsequently, acclimatized a alert by Keeper to force the affiliation of the awful appliance to a Keeper countersign record.

Keeper has safeguards in abode to assure users adjoin automatically bushing accreditation into an untrusted appliance or a armpit that was not absolutely accustomed by the user. On the Android platform, Keeper prompts the user back attempting to autofill accreditation into an Android appliance or website. The user is asked to affirm the affiliation of the appliance to the Keeper countersign almanac above-mentioned to bushing any information. On June 29, we abreast the researcher of this advice and additionally recommended that he abide his address to Google back it is accurately accompanying to the Android platform.

Generally, a awful Android appliance would aboriginal charge to be submitted to Google Play Store, advised by Google and subsequently, accustomed for advertisement to the Google Play Store. The user would again charge to install the awful appliance from Google Play and transact with the application. Alternatively, the user would charge to override important aegis settings on their accessory in adjustment to sideload a awful application.

Keeper consistently recommends that individuals be alert and acute about the applications they install and should alone install appear Android applications from trusted app food such as the Google Play Store. - Craig Lurey, CTO and co-founder of Keeper Security


WebView is acclimated in a array of means by Android developers, which accommodate hosting login pages for their own casework in their apps. This affair is accompanying to how countersign managers advantage the autofill APIs back interacting with WebViews.

We acclaim third-party countersign managers be acute as to area passwords are actuality inputted, and we accept WebView best practices that we acclaim all countersign managers implement. Android provides countersign managers with the appropriate ambience to analyze amid built-in angle and WebViews, as able-bodied as whether the WebView actuality loaded is not accompanying to the hosting app.

For example, back application the Google Password Manager for autofill on Android, users are warned if they are entering a countersign for a area Google determines may not be endemic by the hosting app, and the countersign is alone abounding in on the able field. Google accouterments server ancillary protections for logins via WebView. - Google spokesperson