Numerous widely used mobile password managers may inadvertently expose user credentials due to a vulnerability in the autofill functionality of Android apps. Researchers from the International Institute of Information Technology (IIIT) Hyderabad discovered the flaw, named “AutoSpill,” which can compromise users’ saved credentials by bypassing Android’s secure autofill mechanism. The research findings were presented at Black Hat Europe.
The team, consisting of Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava, observed that when an Android app loads a login page in WebView, password managers can become “disoriented,” potentially revealing credentials to the native fields of the underlying app. WebView, a preinstalled engine by Google, allows developers to display web content within an app without launching a web browser, triggering an autofill request.
Explaining the vulnerability, Gangwal used an example of logging into a music app using Google or Facebook credentials. In such cases, the autofill operation could mistakenly expose the credentials to the base app, raising concerns about the vulnerability’s implications, especially in the context of a malicious base app. Gangwal noted that even without phishing, a malicious app could automatically access sensitive information by prompting users to log in via another site.
The researchers tested the AutoSpill vulnerability on popular password managers like 1Password, LastPass, Keeper, and Enpass, on new and updated Android devices. They found that most apps were susceptible to credential leakage, even with JavaScript injection disabled. Enabling JavaScript injection made all password managers vulnerable to AutoSpill.
Gangwal promptly informed Google and the affected password managers about the flaw. Pedro Canahuati, CTO of 1Password, confirmed that the company is actively working on a fix for AutoSpill. He emphasized that the update would strengthen security by preventing native fields from being filled with credentials intended only for Android’s WebView.
Craig Lurey, CTO of Keeper, acknowledged being notified about a potential vulnerability but did not disclose if any fixes were implemented. Keeper suggested submitting the report to Google, citing its focus on the Android platform’s security.
While Google and Enpass did not respond to inquiries, LastPass had a mitigation in place before learning of the researchers’ findings. Alex Cox, director of LastPass’ threat intelligence team, stated that they enhanced the in-product pop-up warning after analyzing the reported exploit attempt.
Gangwal mentioned ongoing research into the possibility of attackers extracting credentials from the app to WebView. Additionally, the team is exploring whether the vulnerability can be replicated on iOS.