.png)
Researchers from the International Institute of Information Technology (IIIT) Hyderabad have revealed a new threat named 'AutoSpill,' capable of pilfering usernames and passwords from popular Android password manager apps like 1Password and LastPass.
 |
| (Image Source: unsplash) |
In a presentation at the Black Hat Europe 2023 conference, the team explained that AutoSpill exploits Android's WebView framework, used by services like Microsoft, Google, and Apple for quick logins. Android password managers, relying on WebView, automatically input account credentials on login pages. The vulnerability arises from Android's ambiguous guidelines on autofill data, enabling hackers to clandestinely steal sensitive information.
AutoSpill's impact extends to popular password managers like 1Password, Keeper, Enpass, Keepass2Android, and LastPass on devices running Android 10, 11, and 12, without requiring JavaScript injection. Google Smart Lock and DashLane, using a different mechanism, appear immune, though they remain exploitable with JavaScript injection.
The research findings have been communicated to the Android security team and password manager developers, gaining acknowledgment as a valid concern. Users are advised to stay vigilant and follow updates from both Android and password manager developers to safeguard their credentials.
.webp)
