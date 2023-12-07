A recent study conducted by researchers at IIIT Hyderabad has revealed a significant vulnerability in the autofill functionality of Android apps. Dubbed “AutoSpill,” this vulnerability can unintentionally expose users’ saved credentials from mobile password managers by bypassing Android’s secure autofill mechanism.

The researchers discovered that when an Android app loads a login page in WebView, password managers can become confused about where to store the user’s login information, potentially exposing their credentials to the underlying app’s native fields. WebView, a preinstalled engine from Google, allows developers to display web content within apps, and this triggers an autofill request.

For instance, imagine you are logging into your favorite music app on your mobile device using the “login via Google or Facebook” option. The app will open a Google or Facebook login page in its WebView. However, when the password manager autofills the credentials, it may accidentally expose them to the base app instead of the intended webpage.

The consequences of this vulnerability are significant, especially if the base app is malicious. Any malicious app that prompts users to log in via a third-party site, such as Google or Facebook, could automatically gain access to sensitive information.

The researchers tested popular password managers, including 1Password, LastPass, Keeper, and Enpass, on updated Android devices and found that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. When JavaScript injection was enabled, all password managers were susceptible to the AutoSpill vulnerability.

The researchers promptly alerted Google and the affected password managers about the flaw. Some companies, such as 1Password, have acknowledged the issue and are actively working on a fix to mitigate the vulnerability. Others, like Keeper, requested further evidence before confirming the existence of the vulnerability.

While LastPass had already implemented a mitigation strategy to warn users about this exploit, they have updated their pop-up warning to provide more informative wording.

The IIIT Hyderabad researchers are continuing their investigation and exploring the possibility of an attacker extracting credentials from the app to WebView. They are also researching whether this vulnerability can be replicated on iOS.