AutoSpill vulnerability of Android password managers exposes login data

A new security vulnerability puts password manager apps under Android at risk (Image: Dan Nelson/Unsplash).

Entering passwords using the autofill function in password managers has a security vulnerability on Android devices. Malicious apps can use the WebView module to spy on login details as they are entered.

Alexander Pensler (translated by Jacob Fisher), Published 12/12/2023 🇩🇪 🇫🇷 ...

At the Black Hat Europe 2023 security conference, researchers from the Indian Institute of Information Technology presented a new vulnerability called 'AutoSpill'. Due to a gap in the Android WebView module, which is based on the Chrome browser and used to enter passwords in apps, malicious apps can theoretically access data from the password manager unnoticed.

If a password manager automatically enters the access data using autofill, the login data can be inserted into data fields of the underlying app in WebView instead of the website. In this case, the app itself can simply read the login data, which should actually just be inserted into the login page within WebView.

This means that phishing is not necessary here, i.e. displaying a fake website with username and password fields, but rather the real login page of an internet service is displayed. The security vulnerability has been tested with password managers using Android's own Google Smart Lock as well as the third-party apps 1Password, Dashlane, Enpass, LastPass, Keepass2Android and Keeper.

According to the researchers, the 'AutoSpill' vulnerability occurs in Android versions 10, 11 and 12 and can be exploited even with JavaScript turned off in all password managers (with the exception of Google Smart Lock and Dashlane). If JavaScript is activated, all aforementioned password managers are affected by the security gap.

Source(s)

Black Hat Europe via TechCrunch

Criminals can open all Saflok RFID secured doors on a property using one keycard to create a master keycard. (Source: AI Image Dall-E 3)

Security researchers disclose vulnerability in three million Dormakaba Saflok RFID locks used in hotels and homes across 131 countries 03/24/2024

A recent dump of breached accounts included 12 TB of data. (Images: stock photos w/ edits)

"Mother of all Breaches:" Massive data leak includes 12 TB of hacked info across billions of accounts 01/23/2024

HP's Dynamic Security ensures the use of only HP ink cartridges in its printers (Image Source: HP)

HP cites threat of viruses from non-HP printer cartridges to justify blocking their use, experts sceptical 01/23/2024

The SEC's X account was hacked earlier this week, resulting in fake news about Bitcoin ETFs being spread. (Image via Shutterstock and SEC, w/ edits)

U.S. Securities and Exchange Commission X account hacked 01/13/2024

Operation Triangulation is Kaspersky's ongoing investigation of the iOS attack (Image Source: Bing AI)

Most sophisticated iPhone malware attack ever seen detailed in Kaspersky's 'Operation Triangulation' report 12/31/2023

Screenshots of the Telegram group show camera footage from bedrooms for sale

Hacked security cam footage from bedrooms, dressing rooms, spas found to be on sale on Telegram group 12/21/2023

X (Twitter) violates GDPR and DSA: Illegal micro-targeting for political advertising

X (Twitter) violates GDPR and Digital Services Act: Illegal micro-targeting for political advertising 12/15/2023

The Huawei Mate 60 Pro is causing headaches in the USA. (Image: Huawei)

USA finds Huawei Mate 60 Pro 'deeply concerning': US Secretary of Commerce threatens new sanctions 12/12/2023

Linux is also getting the dreaded Blue Screen of Death (Image: Unsplash)

Linux gets a Blue Screen of Death 12/12/2023

Linux with Cinnamon desktop under Wayland (Image: Linux Mint)

Linux Mint 21.3 beta now available for download with Cinnamon 6.0 12/08/2023

The cube effect in the desktop overview returns with Plasma 6 (source: KDE)

Linux desktop: Open Beta of KDE Plasma 6 available for testing 12/06/2023

The Heron QPU with 133 qubits (Source: IBM Research/Flickr)

Quantum computers: IBM reveals Condor and Heron quantum CPUs 12/05/2023

Security gaps in the open source services prompted a server update (Image: Nextcloud/Owncloud)

Security gaps discovered in Nextcloud and ownCloud's cloud software 12/04/2023

Loading Comments

Comment on this article

Counter-Strike 2 exploit briefly al...

Apple Music to offer incentives to ...

Editor of the original article: Alexander Pensler - News Writer - 247 articles published on Notebookcheck since 2023

Technology has been with me all my life, starting with Nintendo consoles, followed later by my first self-built PC experiences, until I disappeared into the Apple camp for a long time. But since I discovered Linux for myself, I've been using the free operating system with enthusiasm on my laptop and workstation PC. Since 2022, I have been working as an IT journalist for PC Games Hardware, among others, and am now a news editor with a focus on Linux for Notebookcheck.

Translator: Jacob Fisher - Translator - 930 articles published on Notebookcheck since 2022

Growing up in regional Australia, I first became acquainted with computers in my early teens after a broken leg from a football (soccer) match temporarily condemned me to a predominately indoor lifestyle. Soon afterwards I was building my own systems. Now I live in Germany, having moved here in 2014, where I study philosophy and anthropology. I am particularly fascinated by how computer technology has fundamentally and dramatically reshaped human culture, and how it continues to do so.

Please share our article, every link counts!

> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2023 12 > AutoSpill vulnerability of Android password managers exposes login data

Alexander Pensler, 2023-12-12 (Update: 2023-12-12)

AutoSpill vulnerability of Android password managers exposes login data

Source(s)

Related Articles