Hackers Can Steal Account Details via Android Password Managers by AutoSpill Attack IIT Hyderabad Research at Black Hat Europe Summit All Details

Researchers at the Hyderabad-based International Institute of Information Technology (IIIT) have uncovered a new attack called AutoSpill, designed to steal account credentials on Android. The researchers presented their report at the Black Hat Europe security conference, revealing that most Android password managers may be unable to protect themselves from the AutoSpill attack even without JavaScript injection.

IIIT-H has released a research (via BleepingComputer) was presented at the Black Hat Europe security conference, which proved that many password managers on Android are unable to keep account details secure. These password managers can be hacked by hackers through AutoSpill attack without JavaScript injection. Apps in the Android system usually use WebView controllers to display web content, such as login pages within the app. This is done to improve the experience for users using small-screen devices. In this, login is made available on the same page without requiring users to be redirected to the browser.

Now how does it actually work? Let’s find out. When an app loads a page to log in to Facebook, Google or any other service, it is often seen that any password manager on Android automatically shows the pre-saved credentials of that account and gives the option to submit. To do this, the app uses the platform’s WebView framework.

Report The AutoSpill attack exploits vulnerabilities in this process, allowing hackers to access auto-fill credentials on the invoking app, even without JavaScript injection. This vulnerability arises from Android’s failure to enforce or clearly define responsibility for the secure handling of automatically filled data.

The researchers tested the autospill attack against various password managers on Android versions 10, 11, and 12. The vulnerable password managers included 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0. Google Smart Lock 13.30.8.26 and Daslane 6.2221.3 took a different technical approach to autofill, avoiding leaking sensitive data to the host app unless JavaScript injection was used.

BleepingComputer reached out to all of these apps for comment on the matter. Google also responded to the matter and said, “WebView is used by Android developers in a variety of ways, including hosting login pages for their own services within their apps. This issue is related to how password managers leverage the Autofill API when interacting with WebView.”

The company further added, “We recommend that third-party password managers be sensitive to where the password is being input, and we have best practices for WebView that we recommend all password managers implement. Android provides password managers with the context needed to distinguish between native views and WebViews, as well as tell when the WebView being loaded is not related to the hosting app.”

Citing this example, Google said, “When using Google Password Manager for autofill on Android, users are warned if they are entering a password for a domain that Google determines is not owned by the hosting app and the password is only entered in the appropriate fields. Google only enforces server-side security for logins via WebView.”

Some other password managers have also responded to the website, which you can read here Report You can read it in.