Security News > 2023 > December > AutoSpill attack steals credentials from Android password managers
In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.
Password managers on Android use the platform's WebView framework to automatically type in a user's account credentials when an app loads the login page to services like Apple, Facebook, Microsoft, or Google.
If JavaScript injections are enabled, the researchers say that all password managers on Android are vulnerable to the AutoSpill attack.
The researchers tested AutoSpill against a selection of password managers on Android 10, 11, and 12 and found that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are susceptible to attacks due to using Android's autofill framework.
On the Android platform, Keeper prompts the user when attempting to autofill credentials into an Android application or website.
When using the Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain Google determines may not be owned by the hosting app, and the password is only filled in on the proper field.
News URL
Related news
- Google fixes two Android zero-days used in targeted attacks (source)
- Open-source and free Android password managers that prioritize your privacy (source)
- Google's New Restore Credentials Tool Simplifies App Login After Android Migration (source)
- VPN vulnerabilities, weak credentials fuel ransomware attacks (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)