Hackers can steal data from Android password managers, show IIIT Hyderabad researchers

Researchers from the International Institute of Information Technology (IIIT) Hyderabad revealed a newly discovered attack, named AutoSpill, during a presentation at the Black Hat Europe 2023 conference.

AutoSpill targets popular Android password managers, potentially exposing usernames and passwords.

The attack takes advantage of Android’s WebView framework, commonly utilized by services like Microsoft, Google, and Apple to open web pages within apps, allowing users to log in quickly without using the main browser.

Android password managers also leverage the WebView framework to automatically input account credentials on login pages.

AutoSpill exploits this process when an app prompts users to log in using WebView, enabling the interception and theft of usernames and passwords.

The researchers attribute this vulnerability to the lack of clear guidelines in Android regarding the handling of autofill data, providing an avenue for threat actors to acquire sensitive information discreetly.

The study conducted tests on devices running Android 10, 11, and 12, revealing vulnerabilities in popular password managers like 1Password, Keeper, Enpass, Keepass2Android, and LastPass without requiring JavaScript injection.

However, Google Smart Lock and DashLane proved to be immune to AutoSpill due to their use of a different mechanism. Nevertheless, all mentioned password managers could be exploited if JavaScript injection is employed.

The researchers responsibly shared their findings with the Android security team and password manager developers, and both parties acknowledged the validity of the discovered vulnerabilities. This collaboration aims to address and rectify the identified issues to enhance the security of Android password managers.

(With inputs from agencies)