Share this article

Researchers at IIIT Hyderabad have identified a vulnerability in Android’s autofill feature, named “AutoSpill,” which could lead to the exposure of saved credentials from popular mobile password managers.

Due to a flaw in the autofill feature of Android apps, several well-known mobile password managers are unintentionally disclosing user credentials.

University researchers at the IIIT Hyderabad have discovered a vulnerability they have dubbed “AutoSpill,” which can expose users’ saved credentials from mobile password managers by evading Android’s secure autofill mechanism. This research was presented this week at Black Hat Europe.

Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, the researchers, discovered that password managers can become “disoriented” about where to target the user’s login information when an Android app loads a login page in WebView, exposing their credentials to the underlying app’s native fields instead. This is due to the fact that WebView, the Google preinstalled engine, generates an autofill request and enables developers to show web content in-app without opening a web browser.

Imagine using the “login via Google or Facebook” option when attempting to access your preferred music app on a mobile device. Gangwal told TechCrunch that the music app would use WebView to open a Google or Facebook login page inside of it before their Black Hat presentation on Wednesday.

“Ideally, the password manager should only autofill into the loaded Google or Facebook page when the autofill feature is activated. However, we discovered that the autofill feature might inadvertently reveal the login credentials to the main application.

Gangwal points out that there are serious consequences from this vulnerability, especially if the base app is malicious. “Any malicious app that asks you to log in via another site, like Google or Facebook, can automatically access sensitive information,” he continued, even in the absence of phishing.

Using some of the most widely used password managers, such as 1Password, LastPass, Keeper, and Enpass, the researchers tested the AutoSpill vulnerability on brand-new, modern Android devices. Even with JavaScript injection turned off, they discovered that the majority of apps were susceptible to credential leaks. All the password managers were vulnerable to their AutoSpill vulnerability when JavaScript injection was enabled.

Gangwal claims to have reported the vulnerability to Google and the impacted password managers.

TechCrunch was informed by 1Password’s chief technology officer, Pedro Canahuati, that the company has located AutoSpill and is developing a solution. Canahuati stated, “1Password’s autofill function has been designed to require the user to take explicit action, even though the fix will further strengthen our security posture.” “By preventing credentials meant exclusively for Android’s WebView from being entered into native fields, the update will add an extra layer of security.”

In comments provided to TechCrunch, Keeper CTO Craig Lurey stated that the company was informed of a possible vulnerability, but he did not specify whether any fixes had been implemented. “We asked the researcher to provide a video that would illustrate the issue that was reported. Our investigation led us to the conclusion that the researcher had installed a malicious program first, then responded to a Keeper prompt to compel the malicious program to be linked to a Keeper password record, according to Lurey.

Keeper suggested that the researcher submit his report to Google because it “relates specifically to the Android platform” and stated that there are “safeguards in place to protect users against automatically filling credentials into an untrusted application or a site that was not explicitly authorized by the user.”

Enpass and Google did not reply to TechCrunch’s inquiries. According to TechCrunch, Alex Cox, the director of LastPass’s threat intelligence, mitigation, and escalation team, the company had already implemented a mitigation measure—an in-product pop-up warning—when it detected an attempt to use the exploit before being informed of the researchers’ findings. “We added more informative wording in the pop-up after analyzing the findings,” Cox stated.

TechCrunch is informed by Gangwal that the researchers are currently investigating the possibility of an attacker obtaining credentials from the app and using them to access WebView. The group is also looking into the possibility of reproducing the vulnerability on iOS.