The culmination of Black Hat Europe 2023 gathered leading industry professionals and researchers, offering forefront cybersecurity insights.
A standout briefing featured the unveiling of “AutoSpill: Zero Effort Credential Stealing from Mobile Password Managers” by Ankit Gangwal, Shubham Singh, and Abhijeet Srivastava.
Here is a simplified version of the AutoSpill mobile password manager vulnerability, focusing on the potential exploit, detection techniques, and solutions for Android users.
What is AutoSpill Vulnerability and How Does it Work?
The researchers shed light on a prevalent scenario where a web page is loaded into a mobile app using WebView controls. WebView, the preinstalled engine from Google, allows developers to display web content in-app without launching a web browser.
In their study, the researchers identified a vulnerability in Android password managers during autofill operations on login pages loaded inside an app.
The AutoSpill vulnerability arises when Android apps load a login page in WebView, causing password managers to become “disoriented” about where to target user login information. This results in the exposure of credentials to the underlying app’s native fields.
The researchers discovered that the majority of top Android password managers were vulnerable to AutoSpill, even without JavaScript injections. Enabling JavaScript injections exacerbated the issue, making all tested password managers susceptible to the vulnerability.
Implications and Ramifications for AutoSpill Vulnerability
Ankit Gangwal emphasized the ramifications of this vulnerability, particularly in scenarios involving malicious base apps. He pointed out that even without phishing, a malicious app requesting login via third-party sites like Google or Facebook could automatically access sensitive information.
The researchers tested popular password managers, including 1Password, LastPass, Keeper, and Enpass, on up-to-date Android devices.
Their findings revealed that most apps were vulnerable to credential leakage, even with JavaScript injection disabled. Enabling JavaScript injections exacerbated the vulnerability across all tested password managers.
Upon discovering the AutoSpill vulnerability, Gangwal responsibly disclosed their findings to both the affected password managers and the Android security team. The affected parties acknowledged the validity of the issue, and measures were taken to address the vulnerability.
The AutoSpill vulnerability highlights the potential risks associated with Android password managers during autofill operations.
The responsible disclosure of vulnerabilities ensures a proactive approach to safeguarding user data and maintaining the integrity of password management systems.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
