 CVE Alert: AutoSpill – New Android Vulnerability in Mobile Password Managers could leak credentials🚨
Summary: During a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) in Hyderabad revealed that their tests demonstrated the vulnerability of most Android password managers to AutoSpill, even in the absence of JavaScript injection.
Impact:
* The researchers conducted tests on AutoSpill, evaluating its impact on a variety of password managers across Android 10, 11, and 12. They discovered that 1Password 7.9.4, LastPass 5.11.0.9519, Enpass 6.8.2.666, Keeper 16.4.3.1048, and Keepass2Android 1.09c-r0 are vulnerable to attacks as they rely on Android’s autofill framework.
* In contrast, Google Smart Lock 13.30.8.26 and DashLane 6.2221.3 employed a different technical approach to the autofill process. These password managers did not expose sensitive data to the host app unless JavaScript injection was employed.
Note:
The researchers communicated their discoveries to the affected software vendors and Android’s security team, presenting their recommendations for resolving the issue. While the report was acknowledged as valid, no specific details regarding plans for rectification were disclosed.